oc-doc/docs/openid/glossary.md

105 lines
2.8 KiB
Markdown
Raw Normal View History

2024-12-10 18:01:58 +01:00
# Glossary
# Oauth
## Ressource owner
The user that will allow the app to read ressources that he/she will grant access for
ex: the person that has a mail account
## Client
The application that is requesting the ressources to use them on the behalf of the user
ex : a mass mailing list service to all your contacts
## Authorization server
The application that knows the resource owner because it has an account there
ex: the mail server authentication service
## Resource server
The API that the client will use on behalf of the user
ex : the contact list API
## Redirect uri
Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access
ex : mass mailing list "contact retrieve success/failure" page
## Response type
Response type expeted by the client, usually "code" for an authorization code
## Scope
Granular permission that the client wants
ex: read contacts, read profile
## Consent
The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not
ex: access to your contacts ?
## Client Id
To identify the client with the authorization server
## Client secret
Shared between authorization server and client
## Authorization code
Temporary code sent by authorization server to client
The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token
## Access token
Key the client will use to communicate withe the ressource server
## Refresh token
Token to get a new access token
# OIDC
## Oauth vs Oidc
Oauth provides only a token for application access without any info on the user. OpenId adds information on the user.
* Oauth enables an app to access ressources
* Oidc enables an app to establish a login session and to access info about the user
## End user
Oauth Resource Owner
## Relaying party
Oauth client
## Identity provider
OIDC enabled Oauth authorization server
## IdToken
JWT token added to access token by OIDC with your identity info.
## Claims
Attributes of the Id Token
* Subject : uid for the user
* Issuing Authority : url of identity provider
* Audience : irdentifies the relying party that can use this token
* Issue Date
* Expiration Date
* [Authentication Time]
* [Nonce] : prevent replay attacks
* [Name]
* [Email]
## Scopes
openid is a mandatory scope
There a are 4 openid predefined scopes :
* profile : access to the default profile claims
* email
* address
* phone
## Identity provider Endpoints
Several predefined endpoints exist on the Identity provider
* Authorization endpoint
* Token endpoint
* UserInfo endpoint
## Recommended authorization flows
* Authorization code
* Authorization code with PKCE (Proof Key for Code Exchange) : for devices
## PKCE