OpenID Connect Integration

Previous Next

This tutorial is part of the OpenID Connect Series.

Back to OpenID Connect

Category: Intermediate

Difficulty: 3 out of 5

Duration: 15 minutes

1. Overview 2. Standard Flow 3. OpenID Configuration 4. Attributes 5. Skipping Discovery Service 6. Attribute Based Authorisation 7. Links 8. Next Steps

Find a mistake? Let us know the issue here.

Attribute Based Authorisation

Specific attributes can be utilised to make authorisation decisions within an application.

Below is an example of the ID Token attributes that are provided by the AAF OpenID Provider and translated to OpenID Connect:

  {
    "sub": "YAdr3eQkhvnHrtOcdnOl4cFRdYnOmKoP4523eh45y89",
    "name": "John Doe",
    "given_name": "John",
    "family_name": "Doe",
    "preferred_username": "jdoe",
    "email": "john.doe@uni.edu.au",
    "phone_number": "+61 412 345 678",
    "au_edu_person_shared_token": "BG67eQkhvnHrtOcdnOl4cFRdYnO",
    "edu_person_affiliation": [
      "affiliate"
    ],
    "edu_person_assurance": [
      "urn:mace:uni.edu.au:iap:id:1",
      "urn:mace:uni.edu.au:iap:authn:1"
    ],
    "edu_person_entitlement": [
      ""
    ],
    "edu_person_orcid": "0000-0000-0000-0000",
    "edu_person_principal_name": "jdoe@hsww.wiz.edu.au",
    "edu_person_scoped_affiliation": [
      "faculty@hsww.wiz.edu.au"
    ],
    "schac_home_organization": "hsww.wiz",
    "iss": "https://hsww.wiz.edu.au",
    "aud": "b56y89re-4w32-2c5r-0b3q-1a2s3d4f5g6h",
    "exp": 1234567890,
    "iat": 1234567890,
    "auth_time": 1234567890,
    "azp": "b56y89re-4w32-2c5r-0b3q-1a2s3d4f5g6h",
    "nonce": "6oP4523eh45y89re4w322c5r0b3q1e1e"
}


For a live example of attribute release for your institution, sign in to the AAF OpenID Connect Demo App.


The relevant attributes that can be utilised for authorisation by a Service Provider (SP) include:

Attribute Name Notes on Usage
eduPersonEntitlement
  • Indicates a user's set of rights to specific resources.
  • The SP can invite some or all Identity Providers (IdP) to express that value for those users who satisfy the definition.
  • The SP can delegate responsibility for authorisation of access to a particular resource to the IdP.
eduPersonAffiliation
  • Enables an organisation to assert its relationship with the user.
  • Provides a user (member of an organisation, or a specific school or faculty within it) access to a resource on a site licence basis.
  • Should be used when the SP does not need confirmation of the security domain of the user.
eduPersonScopedAffiliation
  • A multivalued attribute used to reflect multiple relationships that a user has with an organisation.
  • Should be used when the SP does need confirmation of the security domain of the user.
schacHomeOrganization
  • Can be used when the SP needs to identify the Home Institution of a user.
mail
  • Should only be used when the SP needs to communicate with the end user.
  • This may apply when an applicant needs to be informed whether their access to a research database has been granted or denied.

Up Next:

7. Links