Karthik Balakrishnan Karthik Balakrishnan - 4 months ago 17
Java Question

Creating an OpenID Connect server

I have built an authentication system and would like to make it a federated authentication and authorization system (SSO), like Google+ or Facebook. Upon researching, I discovered that OpenID Connect on top of OAuth 2.0 is the best bet.

I think it would be better to use an existing well tested library than to implement the entire stack on my own, so I plan to use MITREID Connect. Any comments?

However, there are still a few things I'm unsure of:


  1. Am I on the right track? Can the codebase for the openid-connect-server be used for what I want to build?

  2. If so and I finish extending my system using OpenID Connect, how do I get web application developers to display my login system on their OpenID Connect/OAuth2 forms? To be clearer, what data do I need to provide or what APIs do I need to expose for clients to begin using my system for authentication and authorization?



If I'm missing out any key points, please let me know. If I've posted on the wrong forum, feel free to move the post to the appropriate forum.

Answer Source

I have built an authentication system and would like to make it a federated authentication and authorization system (SSO), like Google+ or Facebook. Upon researching, I discovered that OpenID Connect on top of OAuth 2.0 is the best bet.

IMHO, you are definitely right!

I think it would be better to use an existing well tested library than to implement the entire stack on my own, so I plan to use MITREID Connect. Any comments?

Using a well tested library is what I did. I used IdentityServer 3. I don't know MITREID.

If so and I finish extending my system using OpenID Connect, how do I get web application developers to display my login system on their OpenID Connect/OAuth2 forms? To be clearer, what data do I need to provide or what APIs do I need to expose for clients to begin using my system for authentication and authorization?

You, but if you implement a well tested library someone did that for you, must implement the endpoints defined by the OpenID Connect specification. Those are:

  • Authorization / Authentication Endpoint: the one through which a client starts an auth&auth flow - as per this

  • Token Endpoint: the one through which a client requests / refreshes a token - as per this

  • UserInfo Endpoint: the one through which a client gains scopes on a token whose token is owned by the client - as per this

  • Discovery Endpoint: if you want, just to let clients find all of your exposed endpoints automatically - as per this

For more details, check IdentityServer documentation. It's good for OpenID fundamentals as well (Endpoints part).