Avendoo® online documentation

Authentication by OpenID Connect

Authentication by OpenID Connect

Note

The hybrid form of both processes (this means of implicit and authentification code process) is not supported by Avendoo® by now.

Implicit process

Prerequisites
The author with administration rights has maintained the system setting “openidconnect.configuration”.

Process
We speak of implicit processes, if the author with administration rights has defined id_token, token or id_token token as response type in the system setting “openidconnect.configuration”. But the token type is not usable for Open ID in Avendoo®, becauser there is no ID token generated.

  1. The user opens the SSO link. Example: “https://servername.de/Avendoo/d/link?sso=ipid”. “ipid” depends on the configuration in the system setting “openidconnect.configuration”.
    The user is routed to the authentification page.
  2. The user registers.
    The authentification server sends depending on configuration the following data to the client server of Avendoo®:
    id_token; the server gives only a JWT token back.
    token; the server gives only an access token back.
    id_token token; the server gives an access and an ID token back.
    There are two different cases:
    a) If the Avendoo® server receives an access token and has a UserInfo endpoint, user information can be taken via the access token.
    b) Without an access token or a UserInfo endpoint the user information is directly in the ID token in most cases.
  3. The user gets to the Learning place.

Authentification code process

Prerequisites
The author with administration rights has maintained the system setting “openidconnect.configuration”.

Process
The process with authentification code is the same as the implicit process at the beginning, but the Avendoo® server receives an authorization code after the user registration. The authorization code is used together with the client ID and the client secret to ensure an authentification on the token endpoint. Thus the Avendoo® server receives an ID and an access token, at which the response type is only code.

  1. The user opesn the SSO link. Example: “https://servername.de/Avendoo/d/link?sso=ipid”, at which”ipid” depends on configuration in the system setting “openidconnect.configuration”.
    The user is routed to the authentification page.
  2. The user registers.
    The authentification server sends the answer, which contains the authorization code. to Avendoo®.
  3. The Avendoo® server sends the token request with authorization code and client ID and client secret to the appropriate endpoint, at which the answer includes the ID and access token.
    There are two different cases:
    a) If the Avendoo® server receives an access token and has a UserInfo endpoint, user information can be taken via the access token.
    b) Without an access token or a UserInfo endpoint the user information is directly in the ID token in most cases.
  4. The user gets to the Learning place.

Third Party Initiated Login

Prerequisites
The author with administration rights has maintained the system setting “openidconnect.configuration”.

Process
The process with Third Party Initiated Login can vary with the implicated process or the authentification code process.

  1. The user opens the Open ID Connect URL with the three values “iss” (mandatory), “login_hint” (optional) and “target_link_uri” (optional) as parameters. The OIDC SSO configuration is calculated by the “iss” parameter, this means “[ID].issuer=…” in the configuration and if there are several configuration with the same “iss” parameter, the first configuration will be taken.
    Note

    Note that the “login_hint” parameter will be send on the authentication request in an appropriate way, too, and that the “target_link_uri” parameter represents the target URL, for example a deeplink or /ui/index.

  2. a) Then the process is done like in the implicit process (step 2) or
    b) the process is done like in the authentification code process (steps 2 and 3).
  3. The user gets to the Learning place or to the page specified in the parameter “target_link_uri”.