Integration interfaces

The Connect2id server offers a set of powerful interfaces for plugging in your enterprise data sources, branded UI/UX and business / authorisation logic. These can be:

  • Web interfaces -- For maximum flexibility, based on REST and JSON;
  • Java Service Provider Interfaces (SPI) -- For maximum performance with Java- based modules; may be implemented as connectors to a web service for additional flexibility.

To run your own OpenID Connect provider you only need to link a user authentication source and UI via the authorisation session web API. The remaining integration points are optional.

Interface Type Requirement Purpose
Authorisation session web required Integrate your branded login page (UI), your subject (end-user) authentication methods and your business / authorisation logic for setting the claims and scopes of the issued ID and access tokens.
Logout session web optional Integrate a logout page (UI) for receiving end-session requests from OpenID clients and other applications.
Direct authorisation web optional Create SSO sessions and obtain ID / access tokens directly, without any end-user interaction. Can be used to federate external identity providers, such as business partners and social logins from Facebook, Twitter, etc.
Authorisation store web optional Query, update and revoke issued OAuth 2.0 / OpenID Connect authorisations as well as the associated access and refresh tokens.
Subject session store web optional Query, access and manage the SSO sessions of subjects (end-users) with the Connect2id server.
Monitoring web optional Obtain server usage and performance metrics, run health-checks.
Configuration check web optional Validate a Connect2id server configuration before applying it.
Tenants registry web optional Manage Connect2id server tenants (multitenant edition only)
Claims source SPI required Integrate OpenID Connect claims sources, such as LDAP directories, SQL databases and HR management systems.
Password grant handler SPI optional Plug in your own authorisation logic for handling OAuth 2.0 resource owner password credentials grants.
Client credentials grant handler SPI optional Plug in your own authorisation logic for handling client OAuth 2.0 credentials grants.
JWT bearer assertion grant handler SPI optional Plug in your own authorisation logic for handling client-issued and third-party issued (token service) JWT bearer assertion grants.
SAML 2.0 bearer assertion grant handler SPI optional Plug in your own authorisation logic for handling client-issued and third-party issued (token service) SAML 2.0 bearer assertion grants.
Token issue events SPI optional Relay token issue events to other services.
Custom access token encoding and introspection SPI optional Customise access token encoding and introspection responses.
Custom token response SPI optional Customise token success and error responses.
Client metadata validator SPI optional Carry out additional validation or shaping of OAuth 2.0 client / OpenID relying party registration metadata after the Connect2id server has completed the standard validations.
PAR validator SPI optional Carry out additional validation of Pushed Authorisation Requests (PAR).