CILogon Supports OpenID Connect for Federated Authentication to Cyberinfrastructure
Post date: Jan 20, 2016 6:36:01 PM
CILogon's new OpenID Connect (OIDC) interface enables cyberinfrastructure (CI), such as Jetstream (via Globus Auth) and Ocean Observatories Initiative, to support federated authentication with InCommon identity providers via a standard, RESTful API. OIDC is a simple authentication layer built on the OAuth 2.0 standard that enables CI to easily connect to CILogon using standard client software (such as mod_auth_openidc).
CILogon's OIDC interface includes an optional getcert endpoint for cases that require X.509 certificates. Otherwise, CILogon clients can use standard OIDC tokens and the standard OIDC userinfo endpoint for authentication without needing to generate RSA keys and X.509 certificate requests or parse X.509 certificates. We believe this is a significant improvement over CILogon's existing OAuth 1.0 interface, in terms of both performance and simplicity, and we encourage CI operators using CILogon's OAuth 1.0 interface to upgrade to OIDC.
Obtaining user consent prior to release of personal information is an important component of CILogon's OIDC interface. CILogon supports multiple scopes to allow clients to request only the information they need. The CILogon consent screen (example below) informs users about what information is being requested by whom. CILogon staff manually review each client registration to ensure that CILogon's OIDC interface is only used by cyberinfrastructure in support of academic research.