8. OAuth2
Delegation protocol, a means of letting someone who controls a resource allow
an application to access that resource on their behalf without impersonating
them.
16. OpenID Connect
• Identity layer on top of the OAuth2 protocol
• Client app requests identity token and use it to sign in a user
• Additional endpoint that can be used to get additional user details
17. Clients
Confidential
Able to maintain shared secret with
Identity Provider
On server
(Server-side web apps)
Public
Redirect URI to verify client
On device
(JavaScript apps, Mobile apps)
18. Client – IdP communication
Front-channel
Browser as a medium
Data send in query parameter
Less secure
Back-channel
No browser
Direct Server-to-Server calls
More secure
21. Implicit Flow
+
Public client UserInfo Endpoint (API)
Identity Provider
User Authorization Endpoint Token Endpoint
(React)
22. OpenID Connect Flows
Authorization Code
Tokens via back-channel
Confidentional clients
Refresh tokens available
Implicit
Tokens via front-channel
Public clients
No refresh tokens
24. OpenID Connect Flows
Authorization Code
Tokens via back-channel
Confidentional clients
Refresh tokens available
Implicit
Tokens via front-channel
Public clients
No refresh tokens
Hybrid
Tokens via front/back-channel
Confidential clients
Reresh tokens available