- Introduction to OpenID Connect
- Enabling OpenID Connect for OAuth applications
- Shared information
- Troubleshooting
OpenID Connect identity provider
In this document you’ll learn more on using WVS as an OpenID Connect identity provider to sign in to other services.
Introduction to OpenID Connect
OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to:
- Verify the identity of the end-user based on the authentication performed by WVS.
- Obtain basic profile information about the end-user in an interoperable and REST-like manner.
OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and mobile applications.
On the client side, you can use OmniAuth::OpenIDConnect for Rails applications, or any of the other available client implementations.
The WVS implementation uses the doorkeeper-openid_connect gem, refer to its README for more details about which parts of the specifications are supported.
Enabling OpenID Connect for OAuth applications
Refer to the OAuth guide for basic information on how to set up OAuth
applications in WVS. To enable OIDC for an application, all you have to do
is select the openid scope in the application settings.
Shared information
The following user information is shared with clients:
| Claim | Type | Description |
|---|---|---|
sub
| string
| The ID of the user |
auth_time
| integer
| The timestamp for the user’s last authentication |
name
| string
| The user’s full name |
nickname
| string
| The user’s WVS username |
email
| string
| The user’s email address This is the user’s primary email address if the application has access to the email claim and the user’s public email address otherwise
|
email_verified
| boolean
| Whether the user’s email address was verified |
website
| string
| URL for the user’s website |
profile
| string
| URL for the user’s WVS profile |
picture
| string
| URL for the user’s WVS avatar |
groups
| array
| Paths for the groups the user is a member of, either directly or through an ancestor group. |
groups_direct
| array
| Paths for the groups the user is a direct member of. |
https://wvs.io/claims/groups/owner
| array
| Names of the groups the user is a direct member of with Owner role |
https://wvs.io/claims/groups/maintainer
| array
| Names of the groups the user is a direct member of with Maintainer role |
https://wvs.io/claims/groups/developer
| array
| Names of the groups the user is a direct member of with Developer role |
The claims sub, sub_legacy, email, email_verified and groups_direct are included in the ID token. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.
Troubleshooting
For additional support, please reach out to us on our Discord or by Email.