OpenID Connect and OAuth 2.0

Owned by Kari Mattsson
Last updated: 14 Dec 2023 by Antti Kallio

The onePortal platform supports the OpenID Connect (OIDC), defined in the OpenID Foundation’s specification documentation. The OpenID Connect is built on top of the OAuth 2.0 Authorization Framework. Reader is encouraged to familiarise with both of the above standards.

The onePortal™ platform can act as an OpenID Connect Provider (OP), which is a modern form of an Identity Provider (IdP). Users may use it to authorise client applications registered to onePortal™.

This chapter describes how to configure an OpenID Connect client in onePortal. Additionally, there are examples of utilising various authorisation flows using Python programming language.

For an updated description of the OIDC, please refer to the standard service discovery endpoint at any onePortal instance at /.well-known/openid-configuration, which shows the available endpoints, as well as the supported scopes and claims. A (non-working) example address is <https://fi.trivoreid.com/.well-known/openid-configuration>.

Image below shows the conceptual big picture on how OpenID Connect works. The image also includes at the bottom right REST API end-points. Some of those reside on onePortal™, but normally most will reside on other application servers. It all depends on how onePortal™ will be utilised.