OpenID Connect IdP

The purpose of OpenIDConnect (OIDC) is for users to provide one set of credentials and access multiple sites. Each time users sign on to an application or service using OIDC, they are redirected to their identity provider (IdP), where they authenticate and are then redirected back to the connected application (aka relying party "RP", service provider "SP") they want to use.

IAM appliance’s CAS supports following OIDC flows:

  • Authorization code flow

    • This is the usual way to integrate applications and also the flow everyone is usually talking about when saying "we are doing OAuth / OIDC".

    • Pairwise ("confidential") clients.

  • Resource owner password flow

    • This flow is supported to work around some corner cases and its general use is discouraged. It is also no longer deemed secure by the OIDC standard as it requires the service provider (SP) to obtain user’s credentials.

  • Client credentials flow

    • This flow is provided for non-interactive authentication where the application has its own login and password information which it can use to obtain access tokens for itself. Usable for various B2B integrations and such.

You can use OIDC with basic scope openid or custom one, where user’s profile is enriched with additional data. When you decide to use custom scope, you have to explicitly define it in the CAS configuration. You can also configure scope-less OIDC where you use only the openid scope and CAS enriches the userinfo data based on its attribute resolution policy. See scopes howto for details.