Key concepts

OpenID Connect

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 framework of specifications. It simplifies the way to verify the identity of users based on the authentication performed by an authorization server and to obtain user information in an interoperable and REST-like manner.

OpenID Connect enables an Internet identity ecosystem through easy integration and support, security and privacy-preserving configuration, interoperability, wide support of clients and devices, and enabling any entity to be an OpenID Provider (OP).

Client

A client software that requests tokens either for authenticating a user or for accessing a resource. A client must be registered with the OpenID Provider. Clients can be web applications, native mobile, and desktop applications, etc.

Clients must be configured in Identity Manager before they can be used. Ideally, this is performed when you install and configure the application for the first time.

Client ID

A client ID is a unique identifier of the application the administrator created to register a product AIM Server in Microsoft Entra ID. It is a public identifier for application that use OAuth 2.0 to authenticate users. It is usually a unique 32-character hex string.

Client secret

A client secret is a secret key that only the application and the authorization server know. It is used to authenticate the application when it requests a token from the authorization server. It is a secret string that the application uses to prove its identity when requesting a token in Microsoft Entra ID, also known as an application password. It is different from the client ID, which is a public identifier for the application. 

End point

An authorization endpoint is a URL that is used by a client application to obtain authorization from the resource owner (usually the user) to access their data. It is part of the OAuth 2.0 protocol, which is used for authentication and authorization on the web. The authorization endpoint can return an authorization code or an access token, depending on the grant type requested by the client.

Issuer

The Issuer is the unique identifier of the AVEVA Identity Manager server instance. This feature is available for AVEVA Identity Manager 1.2 and later.

Identity token

An identity token represents the outcome of an authentication process. It contains an identifier for the user and information about how and when the user authenticated. It can contain additional identity data.

A token obtained from an OpenID Connect endpoint has a finite lifetime. This information is encoded into the token, and the lifetime can be anywhere from a few minutes to a few days.

There are two methods for obtaining a token:

• Automatic refresh of the token

• Manual refresh of the token

The PCS OpenID Connect client offers two options for user authentication in AIM.

• The first option is to open the system browser, where users can enter their credentials. Upon successful authentication, the token information is then returned to the native application that initiated the authentication process.

• The second option involves displaying an embedded browser using WebView2. Here, users can interact with the authentication process within the native application itself.

Token conversation

Token conversion allows an external token from an identity provider that AIM is federating identity to, for example, CONNECT, to be converted to an AIM token that on-premise services will trust and understand.

This conversion should be performed at the point of entry on-premise (the cloud-facing service or client) to minimize the need for multiple services to convert external cloud tokens.

To convert tokens, the application or service needs to be registered as an AIM client. This is very similar to registering any other AIM identity client (for example, a UI that wants to display a login page and get an AIM token). This requires the user performing the registration to be an administrator.