OpenID Connect 1.0 enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server and provides claims in exchange for an access token. The access token is provided to /user_info
or /me
endpoint to get the requested claims in return.
The section 3.1.2.3 of OpenID Connect 1.0 spec explains the process of authenticating an end-user. However, it clearly states
The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification.
The implementation of these methods is precisely my question. Plus, the OAuth2.0 specification doesn't provide any info on the implementation as well.
The doubts I've is how do we authenticate an end-user? The probable cases I could think of are:
- We keep some user's data like its profile info, username, password on Authorization server and other user-related information on the Resource Server.
- We keep everything on the Resource server and validate the user's credentials by sending a
POST
request along with user's credentials to an internal rest API on the resource server. - Authorization and Resource server share the same DB instance, and hence no API calls.
I know the implementation will differ from one OpenID Provider to others but I want to know if these are even approaches that any OpenID Provider follows?
In some cases, the authorization and resource server can be the same, in which case sharing the database instance will become easy. But what happens in case of the servers being two different machines.
Let's say if I'm trying to write my own implementation of OpenId Connect. What suggestions would you give me to authenticate the end-users?
I tried to go through the codebase of node-oidc-provider library but the library doesn't authenticate the user and skips that part. It'd be of great help if anyone could provide any pointers on this. What should be the best practice? What methods any other OpenID Provider is using?