In this OpenID Connect (OIDC) example, we demonstrate a web application logging in to a simulated online resource. OIDC’s flexibility extends beyond this example to other scenarios such as mobile apps, Single Page Applications (SPAs), and Human-to-Machine (H2M) integrations.
Access begins when the user selects Login, prompting the OIDC provider to present its login panel. Entering a username and tapping Log in begins the authentication and authorization process.
The OIDC provider collects and encrypts the username and related identifying information and transmits it securely (over TLS) to the AffirmedID API server for user record retrieval and validation. The API server, working with its internal FIDO Client, prepares a FIDO2 challenge and delivers it via a secure out-of-band channel using push notification to the user’s cellphone.
When the notification is selected, the AffirmedID app launches and displays an option to accept or decline the challenge. The user logs in with a PIN code and following identity verification, then taps Accept to approve the challenge. A cryptographic FIDO2 response is prepared, encrypted, and sent back to the API server. This response contains two distinct assertions: one confirming device identity and another confirming user identity.
Back at the API server, the response is received and the assertions verified before an encrypted result is returned to the OIDC provider. Upon receipt, the OIDC provider validates the result, generates OAuth 2.0 access and authorization tokens, and returns them to the application that initiated authentication.
Access to the simulated resource is granted.
In short, OIDC is the backbone of modern authentication, enabling secure, passwordless, and scalable identity across today’s distributed environments.