Overview
OpenID Connect (OIDC) is an identity standard for third parties to initiate OpenID Authentication requests with their authorization servers.
When merchants leverage Bolt Ignite as an identity provider (i.e. use Bolt to log a shopper into their store account), OIDC sits on top of the OAuth 2.0 protocol. This extra layer of validation should be implemented when using Bolt’s authentication to verify a shopper’s identity.
OAuth 2.0
Below is the sequence of data exchange when integrating with Bolt’s standard OAuth API:
(1) A shopper authenticates via Bolt’s Login Modal.
(2) Bolt returns an Authorization Code to the frontend of a merchant’s site.
(3) Merchant’s pass the Bolt Authorization Code to their backend in order to…
(4) call Bolt’s OAuth API endpoint to receive an OAuth Access Token.
Finally, with the OAuth Access token, merchants may read or write data to a shopper’s Bolt account.
OAuth 2.0 + Open ID Connect
Bolt returns an ID token to the third party via the OAuth Token endpoint if the presented authorization grant includes the open_id
scope. The ID token can be further decrypted via Bolt’s RSA Public Key.
Step 1: Get Bolt’s OpenID Configuration Data
OpenID Config Request
Bolt’s Public RSA Key is publicly available via a GET request to Bolt’s API using the following endpoints
- Sandbox:
https://api-sandbox.bolt.com/.well-known/openid-configuration endpoint.
- Production:
https://api.bolt.com/.well-known/openid-configuration
OpenID Config Response
{
"issuer": "https://api-sandbox.bolt.com",
"authorization_endpoint": "https://api-sandbox.bolt.com/v3/oauth/authorize",
"token_endpoint": "https://api-sandbox.bolt.com/v3/oauth/token",
"jwks_uri": "https://api-sandbox.bolt.com/v3/oauth/jwks.json",
"response_types_supported": [
"id_token",
"code",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"bolt.account.manage",
"bolt.account.view"
]
}
Step 2: JSON Web Key Set (JWKS)
Bolt’s OAuth Access Token is a JSON Web Token (JWT). In order to validate the Bolt OAuth Access Token is legitimate,k you will need Bolt’s JSON Web Key Set (JWKS). Merchants then use these cryptographic keys to validate the integrity of the JWT to ensure that it has not been tampered with.
JWKS Request
In the response payload from Bolt’s Open ID Configuration API, you’ll find the jwks_uri
. A GET request should be made to this endpoint for the JWKS data.
JWKS Response
{
"keys" : [
{
"alg" : "RS256",
"e" : "AQAB",
"kid" : "e8a7273d-40d4-4be1-a826-f9113e8bf0ab",
"kty" : "RSA",
"n" : "umrI98nQ0thJELhOa0AI4fQkEEuh9gHOFEQUjVZzSZO_O5x42mugJyMq3hDGwJBOH2FUgT5WnGt9tHJ9NbTwfZtljOyRkmoTUGFkQIcRZy_b0fD9_IfFXuAXJebflCIVFO_UnFRN4Z9RQqx-vffAE-qNnQV_V_455Qw0-_HW5n06Df0UVYXiZ1-2RXfGIinPcUgMS59r12kJDahELTWWcwa1gJE1UnSUiwTO7dDp1IjgGml6cpbynYcROyuz4wNumIj7w6tH-krmPguTYXPmKVSmZtqFCh1reXonSZBQ9XvuWhQbY3skf7X2AELHB6nkUNaUlVlSbG_DiHjxSAvSr3HSKLHiaYuB3VA_FWgfSWvg9kZVE9d1Qg-JhYL8kIxcWIgH37onIR5gh7lep0u73WlgFy97tjy9uiTmcjrzBBXtxl5PsLGaTJGPkZnAON4BH0Njuq23G_ZHXcJvX8uFs4VlfItq838SjJqzCrWS5eK4mKX669dYEXenjv8mqqkKSD3PNZl4ixwfMkhmVAeYA0qPnq5rt7XA5mVlr5BNkpal29fL_s6CcdfAylzvzS3C1a6z3ZpZSl2yGAfDgceC4-h-iLJmyeZM3Jz1jttE9BTUxwlhQvO_xIDkJXGgU9y8TMy_rNcPS_qOW1k4DDcTM_eCqsISa58WWiCO0WQUW6E",
"use" : "sign"
}
]
}
Step 3. Validate the Bolt OAuth JWT
Finally, merchants may validate and parse the Bolt JWT using the JSON Web Key Set using any standard JWT validation library for this.