Understanding OpenID Connect Integration with Agile.Now
- 13 Jan 2025
- 6 Minutes to read
- Print
- DarkLight
Understanding OpenID Connect Integration with Agile.Now
- Updated on 13 Jan 2025
- 6 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Agile.Now is committed to providing secure and robust integration capabilities for modern software development and project management tools. In the realm of user authentication and identity services, Agile.Now supports the OpenID Connect (OIDC) standard, an identity layer on top of the OAuth 2.0 protocol.
Agile.Now and OpenID Connect Standards
Agile.Now leverages OpenID Connect to authenticate users and provide secure access to applications. This standard enables clients to verify the identity of an end-user based on the authentication performed by an Authorization Server and to obtain basic profile information about the end-user in an interoperable and REST-like manner.
Key Components in Agile.Now's OpenID Connect Implementation
- Id_token: A security token that contains Claims (user information) about the authenticated user.
- .well-known/openid-configuration: Part of the OpenID Connect discovery process, this URI (Uniform Resource Identifier) allows clients to retrieve metadata about the OpenID Provider. In Agile.Now, it's accessible at:
https://<server url>/oauth/rest/v2/default/.well-known/openid-configuration - .well-known/jwks: The JSON Web Key Set (JWKS) is a set of public keys used to verify any JSON Web Token (JWT) issued by the authorization server. Agile.Now exposes this at:
https://<server url>/oauth/rest/v2/default/.well-known/jwks-keys
OpenID Configuration
If your environment is not configured to use the Agile.Now Workspace Hub, the OpenID configuration will default to the main tenant settings. Ensure you are aware of the proper OpenID Connect setup for your environment to maintain system security and functionality.
Supported Standards and Features
Agile.Now's OpenID Connect implementation provides a variety of features and standards:
- Issuer:
https://<server url>/ - Authorization Endpoint:
https://<server url>/oauth/authorize - Token Endpoint:
https://<server url>/oauth/rest/v2/token - End Session Endpoint:
https://<server url>/oauth/logout - User Info Endpoint:
https://<server url>/oauth/rest/v2/default/me/userinfo - JWKS URI:
https://<server url>/oauth/rest/v2/default/.well-known/jwks-keys - Supported Scopes:
openid,profile,email,phone,roles - Supported Response Types:
code,token,id_token, and combinations thereof - Supported Response Modes:
query,fragment - Supported Subject Types:
public - Supported ID Token Signing Algorithms:
HS256,RS256 - Supported Token Endpoint Authentication Methods:
client_secret_basic,client_secret_post - Supported Claims: (Table provided below)
- HTTP Logout Supported:
true - Supported Token Endpoint Authentication Signing Algorithms:
HS256,RS256
Supported Claims
Below is a table of the user information claims supported by Agile.Now's OpenID Connect implementation:
| Name | Description |
|---|---|
name | Full name of the user. |
given_name | Given name(s) or first name(s) of the user. |
family_name | Surname(s) or last name(s) of the user. |
email | Preferred email address of the user. |
email_verified | A boolean that indicates whether the user's email has been verified (true if verified). |
phone_number | Preferred phone number of the user. |
phone_number_verified | A boolean that indicates whether the user's phone number has been verified (true if verified). |
preferred_username | Shorthand name by which the user wishes to be referred to. |
oid | Object Identifier, a unique identifier for the user that remains constant across all applications. |
roles | Roles assigned to the user. |
tid | Tenant Identifier, identifying the specific tenant (organization) associated with the user. |
amr | Authentication Methods References, indicating the methods used in the authentication process. |
scp | Scopes, an array representing the scope of access. |
ipaddr | The IP address of the user when they authenticated. |
locale | Locale of the user, typically an ISO 639-1 language code and an ISO 3166-1 country code. |
exp | Expiration time on or after which the ID Token MUST NOT be accepted. |
auth_time | Time when the authentication occurred. |
iat | Issued At time at which the JWT was issued. |
iss | Issuer Identifier for the Issuer of the response. |
sub | Subject Identifier, a locally unique and never reassigned identifier for the user. |
aud | Audience(s) that this ID Token is intended for, typically the client ID of the OAuth client. |
azp | Authorized Party, the client ID of the OAuth client that requested the ID token. |
aid | The JWT claim of the selected user access group. Default value aid. |
identifier | The JWT claim of the account identifier (e.g., SSN). This identifier is unique in the system if set. Default value identifier. |
identifier_verified | Indicates whether the account identifier (e.g., SSN) has been verified. Default value identifier_verified. |
nonce | A value used to associate a client session with an ID token and to mitigate replay attacks. |
By adhering to these standards, Agile.Now ensures a secure and seamless integration experience for users, allowing them to authenticate and access applications with confidence and ease.
Supported Standards and Features in Agile.Now's OpenID Connect Implementation
Agile.Now's integration with OpenID Connect (OIDC) is comprehensive, supporting a wide array of standards and features that enhance security and provide flexibility in authentication and identity management. Below, we delve into the details of each supported feature:
Issuer
The issuer is a URL that uniquely identifies the authorization server that issued the token. For Agile.Now, this is https://<server url>/.
Authorization Endpoint
This URL is used to initiate the authorization flow. Clients send requests to this endpoint, and users authenticate and grant consent here. For Agile.Now, it's https://<server url>/oauth/authorize.
Token Endpoint
Clients obtain tokens from this endpoint post-authentication. It supports various grant types, including authorization code, refresh token, etc. Agile.Now hosts this at https://<server url>/oauth/rest/v2/token.
End Session Endpoint
Also known as the logout endpoint, this URL allows users to end their session. Agile.Now provides this functionality at https://<server url>/oauth/logout.
User Info Endpoint
This endpoint provides information about the user. Once authenticated, clients can request user details such as name, email, and other profile information. Agile.Now's User Info Endpoint is accessible at https://<server url>/oauth/rest/v2/me/userinfo.
JWKS URI
The JSON Web Key Set (JWKS) endpoint contains public keys that clients use to verify the signature of tokens. Agile.Now exposes this at https://<server url>/oauth/rest/v2/default/.well-known/jwks-keys.
Supported Scopes
Scopes define the level of access that the application is requesting from the user. Agile.Now supports scopes like openid, profile, email, phone, identifier, etc., enabling fine-grained access control.
| Scope | Claims Description |
|---|---|
openid | (required) Returns the sub claim, which uniquely identifies the user. In an ID Token, additional claims like tid, amr, ipaddr, locale, and others may also be present. |
profile | Returns claims that represent basic profile information, including name, family_name, given_name, and preferred_username. |
email | Returns the email claim, which contains the user's email address, and email_verified to indicate if it has been verified. |
phone | Returns the phone_number claim and the phone_number_verified claim, indicating if the phone number has been verified. |
roles | Returns the user's assigned roles. |
nonce | A value used to associate a client session with an ID token and to mitigate replay attacks. |
Supported Response Types
Agile.Now supports various response types including code (Authorization Code Flow), token (Implicit Flow), and id_token (for obtaining an ID Token directly), among others. This versatility allows developers to choose the flow that best suits their application's needs.
Supported Response Modes
Response modes dictate how tokens are returned to the client. Agile.Now supports query and fragment, providing flexibility in how clients receive the authorization response.
Supported Subject Types
This defines how the subject (user) identifier is generated. Agile.Now uses the public subject type, where the sub claim is a public identifier for the user, unique across all clients.
Supported ID Token Signing Algorithms
Agile.Now supports HS256 (HMAC with SHA-256) and RS256 (RSA signature with SHA-256) to ensure robust token security.
Supported Token Endpoint Authentication Methods
Agile.Now supports client_secret_basic and client_secret_post, allowing clients to authenticate using a client secret sent in the HTTP Authorization header or in the request body.
HTTP Logout Supported
This indicates whether Agile.Now supports HTTP-based logout mechanisms. Agile.Now supports this, ensuring users can securely end their sessions.
Supported Token Endpoint Authentication Signing Algorithms
Agile.Now supports `HS256
(HMAC with SHA-256) andRS256` (RSA signature with SHA-256) to ensure secure token authentication.
Code Challenge Method
Agile.Now supports the Proof Key for Code Exchange (PKCE) extension to OAuth 2.0. PKCE enhances security by requiring a code challenge, which protects against authorization code interception attacks. Agile.Now supports both plain and S256 methods, with S256 being recommended for enhanced security.
Conclusion
By implementing these standards and features, Agile.Now ensures that its OIDC integration is robust, flexible, and secure, providing users and developers with a seamless authentication and identity management experience.
Was this article helpful?
