OpenID Connect (OIDC) is an authentication protocol, based on the OAuth 2.0 specifications. While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication.
MIRACL Trust is a standards-compliant OpenID Connect provider. You can use any OIDC Relying Party Library to integrate with MIRACL Trust. For a list of certified OpenID Connect Libraries, see https://openid.net/developers/certified/.
This page provides general information about integrating with the OpenID Connect implementation exposed by MIRACL Trust. For high-level information about OIDC, see https://openid.net/connect/. For a full reference of all MIRACL Trust OIDC endpoints see the OIDC API Reference.
# Quick Reference
Setting | Value |
---|---|
Configuration Discovery | https://api.mpin.io/.well-known/openid-configuration |
Issuer | https://api.mpin.io |
Authorization Endpoint | https://api.mpin.io/authorize |
JWKS URI | https://api.mpin.io/oidc/certs |
Token Endpoint | https://api.mpin.io/oidc/token |
Userinfo Endpoint | https://api.mpin.io/oidc/userinfo |
View the full OIDC API reference
# Configuration Discovery
MIRACL Trust exposes OpenID Connect (OIDC) configuration discovery
(https://api.mpin.io/.well-known/openid-configuration
). This is used for
automatic configuration of your applications.
If you already have an OIDC implementation available in your application, you
can easily configure it to use the MIRACL Trust service. Most clients are
configured only with the issuer URL (https://api.mpin.io
) and are automaticaly
configured using configuration discovery.
# Authorization Endpoint
The user authorization endpoint in MIRACL Trust is
https://api.mpin.io/authorize
. An example for generated authorization URI is:
https://api.mpin.io/authorize?client_id=<YOUR_CLIENT_ID>&redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&scope=openid+email
Here is a short description of the params in that URI:
client_id
- The Client ID generated on application creation in the MIRACL Trust Console. (The one mentioned in the Get started section)response_type
- Determines what authorization processing flow is used.scope
- The OIDC scopes that are used during authentication to authorize access to a user’s details (supported scopes).redirect_uri
- The place where your application receives and process the response from MIRACL.state
- Used to maintain state between request and callback.
For a full list of supported parameters and their description see the OIDC API Reference.
For more information, you can visit the Authorization Endpoint section in the OIDC Specification.
# JWKS
JSON Web Key Set (JWKS) contains the public keys that should be used to verify
the ID and access JSON Web Tokens (JWT) issued by MIRACL Trust. You can fetch
JWKS from https://api.mpin.io/oidc/certs
.
Note that you should not hardcode the JWKS, as it is a subject of change. The OIDC client needs to fetch the JWKS dynamically in order to assure that the ID and access tokens are properly signed.
# Token Endpoint
To exchange ID and access tokens use the https://api.mpin.io/oidc/token
endpoint. You have to authenticate requests with Client ID and Client
Secret.(Get Started). The token endpoint supports basic
and post authentication.
For more details refer to OIDC API Reference
# Userinfo Endpoint
To recieve information about the authenticated user use the
https://api.mpin.io/oidc/userinfo
endpoint. You must authenticate the request
with an access token (returned from the token endpoint).
For more details refer to OIDC API Reference
# OIDC Authentication Flow
sequenceDiagram User -> Relying Party: Start Authentication Relying Party -> MIRACL Trust: Authentication request MIRACL Trust -> User: Authenticate user User -> Relying Party: Redirect with access code Relying Party -> MIRACL Trust: Exchange code for ID and access tokens User -> Relying Party: Authorize user
# OIDC Samples
For samples of integrations with MIRACL Trust using OpenID Connect for different technologies using popular open-source libraries see https://github.com/miracl/oidc-samples/tree/master/samples.