OpenID Connect (OIDC)

The OIDC protocol allows an application (EMu) to delegate authentication to an external identity provider. The identity provider handles confirmation of the user's credentials in a web browser and then authorizes the application, via a secure mechanism, to allow access to some of the user's basic profile information such as their name or email address. When signing in for the first time the user is requested to allow access to the information required by the application. This allows the user to review and confirm the information that an application can access.

The protocol does not specify the method used for authentication. This allows identity providers the scope to offer different authentication methods, most commonly username / password authentication, and extensions, such as multi-factor authentication.

More details about OIDC are available here.

Why use OpenID Connect?

Benefits of using OIDC with EMu are:

  • Improved security

    The EMu application never handles the user's password as user authentication is delegated to a separate provider. Centralizing authentication and minimizing exposure to user secrets means less risk of those secrets being leaked or compromised.

  • Reduced administration

    The necessity to maintain separate passwords for multiple services including EMu or configuring EMu to consult existing password sources is removed when using OIDC. Similarly, the administration of other organizational requirements, such as password ageing or password validation, only has to be configured for the identity provider.

  • Single Sign-On

    If the user is already authenticated with their provider, they are not required to enter their credentials again when signing into EMu.

Requirements

The minimum requirements to use OIDC in EMu are:

  • Texpress version 9.0.027 or greater
  • EMu version 6.5 or greater