Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Self-Issued OpenID Provider vs OpenID Provider

Tags:

openid-connect

openid

oauth-2.0

openid-provider

google-openid

To make it short:

How exactly does an "Self-Issued OpenID Provider" differentiate from a “normal OpenID Provider” (lets say google) ?

I read the specification which just says :

"OpenID Connect supports Self-Issued OpenID Providers - personal, self-hosted OPs that issue self-signed ID Tokens. Self-Issued OPs use the special Issuer Identifier https://self-issued.me.“

So I understand that an „Self-Issued OpenID Provider” can be hosted by myself, and signs the the ID Tokens.

Is the difference that the Tokens from the “normal OpenID Provider” are signed with an certificate which is trusted (e.g. because it's signed by a root CA certificate which is already in the certificate store), and can be validated without the need of sending the public-key within the response ?

Eventually somebody can clarify this, I would appreciate it much.

Thanks in advance and best regards !

like image 889
Marcel Avatar asked Sep 14 '16 20:09

Marcel

People also ask

What is an OpenID provider?

An identity provider, or OpenID provider (OP) is a service that specializes in registering OpenID URLs or XRIs. OpenID enables an end user to communicate with a relying party.

What is the difference between OpenID and OpenID Connect?

How is OpenID Connect different than OpenID 2.0? OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption.

Is Facebook an OpenID provider?

In continuing with our efforts toward greater openness, we are excited to announce that Facebook is now an OpenID relying party.

What is the difference between OAuth 2.0 and OpenID Connect?

OAuth 2.0 is designed only for authorization, for granting access to data and features from one application to another. OpenID Connect (OIDC) is a thin layer that sits on top of OAuth 2.0 that adds login and profile information about the person who is logged in.

1 Answers

How exactly does an "Self-Issued OpenID Provider" differentiate from a “normal OpenID Provider” (lets say google)?

A normal provider such as Google, is available at an HTTP endpoint. Requests to normal providers use the http:// protocol.

A self-issued provider is usually installed on the end-user's device. Requests to self-issued providers use the openid:// protocol.

For example, on an Android device, Google Chrome could act as a self-issued provider, because the end-user has signed into his Android device, and Google Chrome probably has access to the end-user's identity.

From the spec:

Self Issued Provider is a personal OP that typically runs on a deviced owned by the user. OpenID Connect - Part 5: Self Issued Provider

like image 200
Shaun Luttin Avatar answered Oct 11 '22 11:10

Shaun Luttin
Sign in to Comment

Related questions

AFOAuth2Client unable to access resource
Develop Chrome extension without redirect URI
Dropbox.js authentication in Cordova/PhoneGap
Error In Omniauth with Google
Restrict Login with Google OAuth2.0 to Specific Whitelisted Domain Name on Ruby
Does Application Type (OpenID Connect) correspond to Client Type (OAuth 2.0)?
Implementing OAuth2 with AccountManager, Retrofit and Dagger
Is there a way to configure Django Rest Framework to store token information in Redis rather than the Database?
Browser based OAuth / OpenID with persistent login
Linkedin login for a Cordova app
Why use Client Credentials flow?
can I implement both SAML and basic spring security within an application?
Customise oath2 token request to accept extra data
Gmail-API JAVA Client Send Email Insufficient Permission
Google Sign-In endpoint doesn't return the user's name anymore
Passing custom parameters to Identity Server 3
Spring and middleware conflict?
OAuth scopes and application roles & permissions
Security for "Private" REST API
What is the purpose of a "Refresh Token"?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!