With the new OpenID Connect specification, we finally have an authentication technology to work in conjunction with OAuth 2. Since the draft days of OAuth 2, companies like Facebook have been using OAuth 2 for both authentication (logging a user in) and authorization (granting an application permission to do something on behalf of a user). The unfortunate part is that OAuth 2 really didn’t have all of the appropriate features to make this completely viable. OpenID Connect provides some additional identity management endpoints that make it very viable to take on both the authentication and authorization role. The best part? OpenID Connect is based on the same specifications as OAuth 2, so it’s easily upgradable.
In this post we’re going to take a look at how to migrate an integration from OAuth 2 to OpenID Connect. For this we are going to use PayPal Access, which supports both protocols.
This upgrade is to migrate your integration from OAuth 2 to OpenID Connect. For those of you who are not familiar with the OpenID Connect flow, it is almost identical to the OAuth 2 flow, but with some user session management and verification endpoints tacked on.
Please note, this quick and dirty implementation should be followed up with a complete migration to OpenID Connect in the future. Here are several code samples of full end-to-end integrations of OpenID Connect:
Here’s the quick migration from OAuth 2 to OpenID Connect:
First, change your PayPal Access endpoints from OAuth 2 to OpenID Connect. The OAuth 2 endpoints should look similar to:
define('AUTHORIZATION_ENDPOINT', 'https://identity.x.com/xidentity/resources/authorize'); define('ACCESS_TOKEN_ENDPOINT', 'https://identity.x.com/xidentity/oauthtokenservice'); define('PROFILE_ENDPOINT', 'https://identity.x.com/xidentity/resources/profile/me');
These should be upgraded to:
define('AUTHORIZATION_ENDPOINT', 'https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize'); define('ACCESS_TOKEN_ENDPOINT', 'https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/tokenservice'); define('PROFILE_ENDPOINT', 'https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/userinfo');
Next, in the first call you make to redirect the user to log in to PayPal and accept your application permissions, you need to change the scope that you are using. To capture the profile in OAuth 2, you would use the following scope:
We need to change that to:
The full list of available scopes for OpenID Connect are (make sure to space separate multiple scopes):
Lastly, you need to change the GET parameters that are sent along with the call to get the profile information of the user after you get the access token. Within the OAuth 2 integration, a call to the profile endpoint will include the URI to the endpoint (changed in the first step) and will pass along the oauth_token. This will look something like this:
$profile_url = sprintf("%s?oauth_token=%s", PROFILE_ENDPOINT, $token->access_token);
We need to change this to pass in two GET parameters, the schema and the access_token (same as the oauth_token). This will look something like this:
$profile_url = sprintf("%s?schema=openid&access_token=%s", PROFILE_ENDPOINT, $this->access_token);
Your implementation should now work and be migrated to the OpenID Connect flow. Congrats!
Follow me on Twitter