Build an OpenID Connect IdP server

To build an IdP server on top of an existing OAuth deployment, follow these steps:

  1. Add a Create ID Token filter (see Create an OpenID Connect ID token) to the token endpoint policy after the Access Token using Authorization Code filter (see Get access token using authorization code). If API Gateway will also support implicit or hybrid grant types then add a Create ID Token filter to the authorization endpoint policy after the Authorization Code Flow filter (see Consume authorization requests).
  2. Create a UserInfo endpoint. This is similar to any OAuth protected resource using a Validate Access Token filter (see Validate access token) with a minimum scope requirement of openid. After a successful validation the UserInfo policy must create a JSON object response representing claims about the user associated with the access token. The user can be identified by the Validate Access Token filter with the authentication.subject.id message property.
  3. The following is a non-normative example of the JSON response:
  4. {
     "kind": "APIGatewayOpenIdConnect",
     "gender": "femail",
     "sub": "sampleuser",
     "name": "Sample User",
     "given_name": "Sample",
     "family_name": "${User}",
     "picture": "https://URL.TO.IMAGE/",
     "email": "sampleuser@gatweway",
     "email_verified": "true",
     "locale": "en"
    }
    

Related Links