OpenID Connect is an identity framework built on OAuth 2.0 which utilizes and extends OAuth 2.0 messages and code flows. The WSO2 Identity Server is able to use and implement the OpenID Connect Basic Client Profile.
- For OAuth 2.0, the client application needs to be registered. See here to register the OAuth 2.0 playground application.
- The OpenID Connect Basic Client Profile utilizes the OAuth 2.0 Authorization Code flow. So the second step is to get an authorization code with the scope "openid". Use the OAuth 2.0 playground application to get the authorization code, make sure to use the scope openid. Other than the flow of OAuth 2.0 to get the the Authorization Code, in OpenID Connect the user is prompted for consent before the token issued to the client.
- Get the access token using the authorization code. Use the playground application to get the access token. Since this authorization code is issued for the scope openid, the ID Token is returned along with the access token.
Access the userinfo endpoint with the received access token. As per the specification, the received bearer token is sent using the HTTP Authorization header. The curl command is as follows:
curl -k -H "Authorization: Bearer 4164157d677a6cd3a22e26e24c30135d" https://localhost:9443/oauth2/userinfo?schema=openid
As the response, the WSO2 Identity Server returns a JSON with user claims.
{"sub":"PRIMARY\/sureshatt","email":"sureshgemunu@mymail.com","name":"Suresh Attanayake","family_name":"Attanayake","preferred_username":"sureshgemunu","given_name":"Suresh"}