Federation with OIDC

Open ID Connect (OIDC) is a modern federation standard which has roughly the same functionality as SAML.

TODO: Simple top level picture

OIDC is an extension of OAuth2 and also often used together. OIDC and OAuth2 have different aims:

OIDC: Provides proof of identity and of an authentication a user has done. Along with this also validity range and an audience is provided. Also user-related attributes are provided with this proof. With this the recipient of such a proof can establish a local application session in the same way this also can be done with SAML. The proof is transported in a so-called ID-Token, which is a JWT with defined attributes.
OAuth2: Provides permission to access an API (API authorization). This permissions are transported in form of Access Tokens (AT). Access Tokens usually are "Bearer Tokens", which means that whoever presents such a token has the right to use that API. Access Tokens are either also JWTs or are "opaque". Opaque access token cannot be verified by the recipient directly, but must be sent to the issuer (the autorisation server) for verification. Please be aware, that either Access Token must be short living (matter of minutes) or revocation functionality must be available.

It's important to note that In eIAM only OIDC is implemented. The provided OAuth2 token is opaque and only eligible to use the eIAM userinfo API endpoint, which provides user data and is part of OIDC.

Please look on the following pages to get an overview on the possible integration patterns and also on further technical details.