OpenID Connect 1.0

 

OpenID Connect 1.0 in Azure Active Directory (Azure AD) enables you to use the OAuth 2.0 protocol for single sign-on. OAuth 2.0 is an authorization protocol, but OpenID Connect extends OAuth 2.0 for use as an authentication protocol. A primary feature of the OpenID Connect protocol is that it returns an id_token, which is used to authenticate the user. For more information about OpenID Connect, see the specification, OpenID Connect Core 1.0.

Here is a sample OpenID Connect request to Azure AD:

https://login.windows.net/common/oauth2/authorize?response_type=id_token&client_id=4ae4904e-e989-4755-8c74-f805d37cc8bd&scope=openid&nonce=7362CAEA-9CA5-4B43-9BA3-34D7C303EBA7&response_mode=form_post

In addition to the support for the id_token response type, we have added support for the following parameters in the request.

Parameter

Description

nonce

[Required] This is value is used to protect against token replay attacks. The value provided in the request must match the nonce claim value that is returned in the id_token. This nonce must be unique to a user session and difficult to guess, such as a GUID.

response_mode

[Required] Indicates the encoding of the response. Supported values are fragment (URL fragment) and form_post (HTTP form POST).

Note

The response_mode parameter is required, because the current default response encoding is in a query parameter. This behavior is incompatible with the specification and the default value is likely to change. To prevent your client from failing in the future, include the response_mode parameter in the request with a value of fragment or form_post.

See Also

OAuth 2.0 in Azure AD