Concept | Note |
OIDC | OIDC is an authentication protocol built on OAuth 2.0. While OAuth is an authorization protocol, OIDC constructs an identity layer on top of it. In addition to the authorization capabilities provided by OAuth, OIDC also allows clients to verify the identity of end users and obtain their basic information through the API of the OIDC protocol (in the form of HTTP RESTful). |
OIDC Token | OIDC can issue identity tokens on behalf of logged-in users to applications, known as OIDC tokens. OIDC tokens are used to retrieve the basic information of the logged-in user. |
Temporary ID Credential | Security Token Service (STS) is a temporary access permission management service provided by Tencent Cloud. It allows for the acquisition of temporary identity credentials (STS Token) with customized validity and access permissions. |
Issuer URL | The Issuer URL, provided by the external IdP, corresponds to the 'iss' field value of the OIDC Token. The Issuer URL must start with https, conform to the standard URL format. But it should not contain query parameters (indicated by ?), fragment sections (indicated by #), or login information (indicated by @). |
Client ID | When your application is registered with an external IdP, a Client ID is generated. When you apply for an OIDC token issued from an external IdP, you must use this client ID. The issued OIDC token will also carry this client ID in the 'aud' field. During the creation of an OIDC idP, this client ID is configured. Then, when using the OIDC token to exchange for an STS Token, Tencent Cloud verifies whether the client ID carried in the 'aud' field of the OIDC token matches that configured in the OIDC IdP. Role assumption is only permitted when they are consistent. |
문제 해결에 도움이 되었나요?