Comment by spapas82
8 months ago
OpenID connect is a rather simple protocol. I was able to understand most of it in about a day by reading the specs (https://openid.net/specs/openid-connect-core-1_0.html). For anybody that's interested and doesn't want to read these specs, I've written a comprehensive tutorial on how to implement a client for OpenID using simple HTTP requests (https://spapas.github.io/2023/11/29/openid-connect-tutorial/).
It's using python to do the work but it should be straight forward to implement it in anything you want. Most of the complex stuff is related to decoding and checking the JWT tokens.
I'm using exactly this hand written client on a production project to authenticate with keycloak for like a year and everything's working perfectly!
PS: I know that there are way too many ads to my site. Unfortunately I haven't found the time to properly configure google ads and haven't found anything better :( Use an ad-blocker to read it.
Very interesting and good write-up.
PS. Be cautious with using subjective words like "simple". It can be really off-putting as a reader if you think something is difficult and the author claims it's simple.
everything is relative. I believe it’s “simple” compared to other standards like SAML.
I agree it can be a little intimidating for a novice in the space!
Probably I should have said "simple compared to oauth" :)
A great tutorial.
I'm still not convinced that OIDC is easy. Keycloak hides enormous complexity and that's not because the developers were bored. One example is the huge number of settings for various timeouts: SSO timeouts, client timeouts, various token timeouts.