# Identity Overview
# Aspenware Identity Server
Aspenware Identity Server is an implementation of the OpenID Connect (OIDC) protocol and is used to authenticate users. Clients (applications) can implement their own authentication process, or they can use a service like Aspenware Identity Server to authenticate users. The benefit to using Aspenware Identity Server is that the process of login, create account, forgot password, and account duplication prevention are all built into the service which means the client interacting with Aspenware Identity Server does not need to build that logic. There is some code required to integrate with Aspenware Identity Server, but it will be significantly less than having to code the flows from scratch.
Helpful terminology: https://identityserver4.readthedocs.io/en/latest/intro/terminology.html
# High Level Integration Overview
In order to integrate a client with Aspenware Identity Server there is some setup needed.
- Reach out to Aspenware to setup a client id
- Implement OpenID Connect in your application for login and use Aspenware Identity Server as the auhtority
- After the authentication process is completed on Aspenware Identity Server the user will be redirected back the application with various claims and an indicator if the authorization was successful or not
# Protocol Overview
OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application. When you use the Microsoft identity platform's implementation of OpenID Connect, you can add sign-in and API access to your apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any Microsoft open-source libraries.
OpenID Connect extends the OAuth 2.0 authorization protocol for use as an authentication protocol, so that you can do single sign-on using OAuth. OpenID Connect introduces the concept of an ID token, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user. It also introduces the UserInfo endpoint, an API that returns information about the user.
# Protocol Diagram: Access Secure Page
The following diagram illustrates the user's request of a protected resource (page) on a website using Aspenware Identity to login first to establish the user's access.
# Retrieve Connection Information: OpenID Metadata Document
Aspenware Identity, like any OpenID Connect server, provides a metadata document which contains information a website would need to sign in. A system can retrieve this document by appending the discovery path (.well-known/openid-configuration) to the Authentication Authority URL:
https://identity.aspenware.net/.well-known/openid-configuration
Frameworks that simplify communication with an OpenID server utilize the configuration document to dynamically setup calls to the Identity Server for tasks like establishing authentication, requesting a token, or retrieving user information. The following excerpt shows data provided in the configuration document:
---
OpenID Configuration
---
{
"issuer": "https://id.boyneresorts.com",
"authorization_endpoint": "https://id.boyneresorts.com/connect/authorize",
"token_endpoint": "https://id.boyneresorts.com/connect/token",
...
"scopes_supported": [
"openid",
"profile",
"IdentityServerApi",
"arrival",
"offline_access"
],
"claims_supported": [
"sub",
"name",
"family_name",
"given_name",
"middle_name",
"nickname",
"preferred_username",
"profile",
"picture",
"website",
"gender",
"birthdate",
"zoneinfo",
"locale",
"updated_at"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
...
}