# OpenID Protocol **OpenID** is an open standard and decentralized authentication protocol that enables secure user authentication across multiple applications without requiring users to manage separate credentials for each system. In modern enterprise architecture, OpenID is most commonly implemented as **OpenID Connect (OIDC)**, which is an authentication layer built on top of **OAuth 2.0**. OpenID allows users to authenticate using an existing identity provided by a trusted provider, while applications rely on standardized tokens to verify identity securely. *** ### Purpose of OpenID Authentication OpenID authentication is designed to: * Enable **Single Sign‑On (SSO)** across multiple applications * Reduce password proliferation and credential fatigue * Centralize identity management using trusted providers * Improve security, auditability, and compliance * Support modern identity federation patterns Many large organizations issue or accept OpenID identities as part of their enterprise IAM strategy under the **OpenID Foundation** standards. *** ### OpenID Connect Actors An OpenID Connect interaction involves **three key actors**: #### OpenID Provider (OP) The **OpenID Provider** is the **Authorization Server** responsible for: * Authenticating the end user * Issuing identity‑related tokens * Providing user claims Examples include enterprise IAM platforms or identity providers. *** #### Relying Party (RP) The **Relying Party** is the client application that: * Requests user authentication * Receives authentication results * Relies on the OpenID Provider to verify identity In the ONEWEB ecosystem, the relying party is typically an application integrating through **IAM2**. *** #### End User The **End User** is the human being whose identity is: * Authenticated by the OpenID Provider * Represented by issued tokens and claims *** ### OpenID Support in ONEWEB (IAM2) Starting from **ONEWEB version 4.0.19.10**, **IAM2** supports authentication using the **OpenID protocol**. In the current version: * IAM2 supports **individual response types only** * Combination response types are not yet supported *** ### Supported OpenID Response Types IAM2 currently supports the following **four OpenID response types**: *** #### Response Type: `code` **(Authorization Code Flow)** When the response type is **`code`**, the OpenID Provider returns an **authorization code**. * The Relying Party exchanges this code for tokens (ID Token / Access Token) * Token exchange happens on the **server side** * This is the **most secure and recommended flow** for enterprise applications

*** #### Response Type: `token` **(Implicit Flow – Access Token)** When the response type is set to **`token`**: * An **Access Token** is returned directly to the Relying Party * The Access Token represents authorization to access protected resources * Commonly used in browser‑based or lightweight clients

Implicit flows are generally less secure than authorization‑code flows and should be used cautiously. *** #### Response Type: `id_token` **(Implicit Flow – Identity Token)** When the response type is **`id_token`**: * An **ID Token** is returned directly * The ID Token contains: * Authentication result * Identity claims about the End User * Additional user information requires calling the **UserInfo endpoint** using an Access Token

*** #### Response Type: `none` When the response type is set to **`none`**: * No authorization code or tokens are returned * Used when the client does not require authentication results * Mainly applicable to specialized or verification‑only flows * The `none` response type **cannot be combined** with other response types * IAM2 currently **does not support combination response types** * Combination response types may be supported in future IAM2 releases *** ### Implementing OpenID via IAM2 Once a **Client ID** is registered with ONEWEB IAM2: * Applications can initiate OpenID authentication requests * Tokens are issued and validated according to configured response type * Authentication results can be securely consumed by the relying application

*** ### Security & Compliance Considerations When using OpenID authentication: * Prefer **Authorization Code Flow (`code`)** for enterprise systems * Protect tokens in transit and at rest * Enforce HTTPS for all OpenID endpoints * Monitor authentication events for audit and compliance * Align with organizational IAM and identity governance policies OpenID authentication helps meet compliance requirements by: * Centralizing identity control * Enabling traceable authentication events * Reducing password‑related risks *** ### Summary **OpenID (OpenID Connect)** provides a standardized, secure, and scalable approach to authentication in modern enterprise systems. In ONEWEB (via IAM2), OpenID enables: * Federated authentication * Single Sign‑On (SSO) * Token‑based identity verification * Alignment with modern security and compliance standards OpenID authentication is a recommended approach for **secure, compliant, and future‑ready identity management** on the ONEWEB platform. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onewebstack.com/oneweb-platform-th/building-apps/security-and-compliance/authentication/openid-protocol.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.