Integration interfaces
The Connect2id server comes with a set of interfaces to let deployments plug in their own data sources, branded user journeys and business-specific authorisation logic. These can be:
- Web interfaces -- With focus on flexibility, based on REST and JSON;
- Java Service Provider Interfaces (SPI) -- With focus on performance with Java- based modules; can implement web hooks to services for additional flexibility.
To run your own OpenID Connect provider / OAuth 2.0 server you only need to link a user authentication source and UI via the authorisation session web API. The remaining integration points are optional.
Interface | Type | Requirement | Purpose |
---|---|---|---|
Authorisation session | web | required | Integrate your branded login page (UI), your subject (end-user) authentication methods and your business / authorisation logic for setting the claims and scopes of the issued ID and access tokens. |
Logout session | web | optional | Integrate a logout page (UI) for receiving end-session requests from OpenID applications as well as internal IdP services. |
Direct authorisation | web | optional | Create SSO sessions and obtain ID / access tokens directly, without any end-user interaction. Can be used to federate external identity providers, such as business partners and social logins from Facebook, Twitter, etc. |
Authorisation store | web | optional | Query, update and revoke issued OAuth 2.0 / OpenID Connect authorisations as well as associated access and refresh tokens. |
Subject session store | web | optional | Query, access and manage the SSO sessions of subjects (end-users) with the Connect2id server. |
Security Token Service (STS) | web | optional | Request issue of JAR and private_key_jwt JWTs when the Connect2id server acts an OAuth 2.0 client / OpenID relying party. |
Monitoring | web | optional | Obtain server usage and performance metrics, run health-checks. |
Configuration check | web | optional | Validate a Connect2id server configuration before applying it. |
Tenants registry | web | optional | Manage Connect2id server tenants (multitenant edition only) |
Claims source | SPI | required | Integrate OpenID Connect claims sources, such as LDAP directories, SQL databases and HR management systems. |
Password grant handler | SPI | optional | Plug in logic for handling OAuth 2.0 resource owner password credentials grants. |
Client credentials grant handler | SPI | optional | Plug in logic for handling client OAuth 2.0 credentials grants. |
JWT bearer assertion grant handler | SPI | optional | Plug in logic for handling client-issued and third-party issued (token service) JWT bearer assertion grants. |
SAML 2.0 bearer assertion grant handler | SPI | optional | Plug in logic for handling client-issued and third-party issued (token service) SAML 2.0 bearer assertion grants. |
Token exchange grant handler | SPI | optional | Plug in logic for handling token exchange, including impersonation (act-as) and delegation (on-behalf-of) scenarios. |
Token issue events | SPI | optional | Record or send access and ID token issue events. |
Authentication and consent events | SPI | optional | Record or send end-user authentication and authorisation events. |
Custom access token encoding and introspection | SPI | optional | Customise access token encoding and introspection responses. |
Custom token response | SPI | optional | Customise token success and error responses. |
Client registration interceptor | SPI | optional | Intercept HTTP requests at the client registration endpoint to handle software statements and other signed requests. |
Client metadata validator | SPI | optional | Carry out additional validation or shaping of OAuth 2.0 client / OpenID relying party registration metadata after the Connect2id server has completed the standard validations. |
Authorisation request validator | SPI | optional | Carry out additional validation and optional modification of received authorisation requests. |
PAR validator | SPI | optional | Carry out additional validation and optional modification of received Pushed Authorisation Requests (PAR). |
Private key JWT certificate verifier | SPI | optional | Verify qualified X.509 certificates for private key JWT client authentication. |
Client authentication interceptor | SPI | optional | Intercept client authentication success and error events for logging, reporting, audit and other purposes. |
Client secret store codec | SPI | optional | Hash or encrypt client secrets before persisting them to storage. Support import encoded secrets. |