OpenAM Administration Guide
Chapter 14. Managing OpenID Connect 1.0 Authorization

OpenID Connect Basic Client Profile 1.0 is designed for web-based relying parties that use the OAuth 2.0 Authorization Code grant type. This grant type makes it possible for the client to get the access code by using the authorization code directly, without passing through the end user's browser. To protect its client secret (password), part of the client must run on the server.

In the example, the Basic Client Profile Start Page describes the prerequisite configuration, which must be part of the client profile stored in the OpenAM realm where you set up the OpenID Provider. In OpenAM console, check that the OAuth 2.0 agent profile matches the settings described.

Logout of OpenAM, and click the link at the bottom of the page to request authorization. The link sends an HTTP GET request asking for openid profile scopes to the OpenID Connect provider authorization URI.

If everything is configured correctly, OpenAM's OpenID Connect provider has you authenticate as an end user, such as the demo user with username demo and password changeit, and grant (Allow) the client access to your profile.

If you successfully authenticate and allow the example client access to your profile, OpenAM returns an authorization code to the example client. The example client then uses the authorization code to request an access token and an ID token. It shows the response to that request, and also decodes the ID token to show the content and to perform some validation. Finally it uses the access token to request information about the end user who authenticated, and displays the result.

Notice that in addition to the standard payload, the ID token indicates the end user's OpenAM realm, in this case "realm": "/".

OpenID Connect Implicit Client Profile 1.0 is designed for relying parties that use the OAuth 2.0 Implicit grant type. This grant type is designed for clients implemented in a browser. Rather than protect a client secret, the client profile must register a protected redirect URI in advance with the OpenID Provider.

In the example, the Implicit Client Profile Start Page describes the prerequisite configuration, which must be part of the client profile stored in the OpenAM realm where you set up the OpenID Provider. In OpenAM console, check that the OAuth 2.0 agent profile matches the settings described. If you have already configured the agent profile for the Basic Client Profile then you still need to add the redirect URI for the Implicit Client Profile.

Logout of OpenAM, and click the link at the bottom of the page to request authorization. The link sends an HTTP GET request asking for id_token token response types and openid profile scopes to the OpenID Connect provider authorization URI.

If everything is configured correctly, OpenAM's OpenID Connect provider has you authenticate as an end user, such as the demo user with username demo and password changeit, and grant (Allow) the client access to your profile.

If you successfully authenticate and allow the example client access to your profile, OpenAM returns the access token and ID token directly in the fragment (after #) of the redirect URI. The client does not get an authorization code. The client shows the response to the request, and also decodes the ID token to show the content and to perform some validation (though it does not check the ID token signature). Finally the client uses the access token to request information about the end user who authenticated, and displays the result.

As for the Basic Client Profile, the ID Token indicates the end user's OpenAM realm in addition to the standard information.