105 lines
2.8 KiB
Markdown
105 lines
2.8 KiB
Markdown
|
# Glossary
|
||
|
|
||
|
# Oauth
|
||
|
|
||
|
## Ressource owner
|
||
|
The user that will allow the app to read ressources that he/she will grant access for
|
||
|
ex: the person that has a mail account
|
||
|
|
||
|
## Client
|
||
|
The application that is requesting the ressources to use them on the behalf of the user
|
||
|
ex : a mass mailing list service to all your contacts
|
||
|
|
||
|
## Authorization server
|
||
|
|
||
|
The application that knows the resource owner because it has an account there
|
||
|
ex: the mail server authentication service
|
||
|
|
||
|
## Resource server
|
||
|
|
||
|
The API that the client will use on behalf of the user
|
||
|
ex : the contact list API
|
||
|
|
||
|
## Redirect uri
|
||
|
Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access
|
||
|
ex : mass mailing list "contact retrieve success/failure" page
|
||
|
|
||
|
## Response type
|
||
|
Response type expeted by the client, usually "code" for an authorization code
|
||
|
|
||
|
## Scope
|
||
|
Granular permission that the client wants
|
||
|
ex: read contacts, read profile
|
||
|
|
||
|
## Consent
|
||
|
The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not
|
||
|
ex: access to your contacts ?
|
||
|
|
||
|
## Client Id
|
||
|
To identify the client with the authorization server
|
||
|
|
||
|
## Client secret
|
||
|
Shared between authorization server and client
|
||
|
|
||
|
## Authorization code
|
||
|
Temporary code sent by authorization server to client
|
||
|
The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token
|
||
|
|
||
|
## Access token
|
||
|
Key the client will use to communicate withe the ressource server
|
||
|
|
||
|
## Refresh token
|
||
|
Token to get a new access token
|
||
|
|
||
|
# OIDC
|
||
|
|
||
|
## Oauth vs Oidc
|
||
|
Oauth provides only a token for application access without any info on the user. OpenId adds information on the user.
|
||
|
* Oauth enables an app to access ressources
|
||
|
* Oidc enables an app to establish a login session and to access info about the user
|
||
|
|
||
|
## End user
|
||
|
Oauth Resource Owner
|
||
|
|
||
|
## Relaying party
|
||
|
Oauth client
|
||
|
|
||
|
## Identity provider
|
||
|
OIDC enabled Oauth authorization server
|
||
|
|
||
|
## IdToken
|
||
|
JWT token added to access token by OIDC with your identity info.
|
||
|
|
||
|
## Claims
|
||
|
Attributes of the Id Token
|
||
|
* Subject : uid for the user
|
||
|
* Issuing Authority : url of identity provider
|
||
|
* Audience : irdentifies the relying party that can use this token
|
||
|
* Issue Date
|
||
|
* Expiration Date
|
||
|
* [Authentication Time]
|
||
|
* [Nonce] : prevent replay attacks
|
||
|
* [Name]
|
||
|
* [Email]
|
||
|
|
||
|
## Scopes
|
||
|
openid is a mandatory scope
|
||
|
There a are 4 openid predefined scopes :
|
||
|
* profile : access to the default profile claims
|
||
|
* email
|
||
|
* address
|
||
|
* phone
|
||
|
|
||
|
## Identity provider Endpoints
|
||
|
Several predefined endpoints exist on the Identity provider
|
||
|
* Authorization endpoint
|
||
|
* Token endpoint
|
||
|
* UserInfo endpoint
|
||
|
|
||
|
## Recommended authorization flows
|
||
|
* Authorization code
|
||
|
* Authorization code with PKCE (Proof Key for Code Exchange) : for devices
|
||
|
|
||
|
## PKCE
|
||
|
|