OpenID Connect

Jan 19, 2021 oidc auth ouath2 openid

Token Types

An ID Token contains claims about the identity of the authenticated user such as theyr name, email and phone number. In the OIDC specification, the ID token must be a JSON web token (JWT).

An Access Token is used to grant access to an authorized resource and contains scopes and groups.

A Refresh Token contains information to optain a new ID Token or Access Token.

Flows

The following links have articles that do a good job of explaining things:

• https://darutk.medium.com/diagrams-of-all-the-openid-connect-flows-6968e3990660
• https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows

In general it’s advised that all applications used the authorization code flow with PKCE.

Authorization Code Flow

• response_type=“code”

Implict Flow

• response_type=“token”
• response_type=“id_token”
• response_type=“id_token token”

Hybrid Flow

• response_type=“code id_token”
• response_type=“code token”
• response_type=“code id_token token”

Recommended Flows

• Web use the authorization code flow
• Desktop Native use authorization code flow with PKCE
• Mobile Native use authorization code flow with PKCE
• SPA use authorization code flow with PKCE