# Glossary # Oauth ## Ressource owner The user that will allow the app to read ressources that he/she will grant access for ex: the person that has a mail account ## Client The application that is requesting the ressources to use them on the behalf of the user ex : a mass mailing list service to all your contacts ## Authorization server The application that knows the resource owner because it has an account there ex: the mail server authentication service ## Resource server The API that the client will use on behalf of the user ex : the contact list API ## Redirect uri Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access ex : mass mailing list "contact retrieve success/failure" page ## Response type Response type expeted by the client, usually "code" for an authorization code ## Scope Granular permission that the client wants ex: read contacts, read profile ## Consent The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not ex: access to your contacts ? ## Client Id To identify the client with the authorization server ## Client secret Shared between authorization server and client ## Authorization code Temporary code sent by authorization server to client The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token ## Access token Key the client will use to communicate withe the ressource server ## Refresh token Token to get a new access token # OIDC ## Oauth vs Oidc Oauth provides only a token for application access without any info on the user. OpenId adds information on the user. * Oauth enables an app to access ressources * Oidc enables an app to establish a login session and to access info about the user ## End user Oauth Resource Owner ## Relaying party Oauth client ## Identity provider OIDC enabled Oauth authorization server ## IdToken JWT token added to access token by OIDC with your identity info. ## Claims Attributes of the Id Token * Subject : uid for the user * Issuing Authority : url of identity provider * Audience : irdentifies the relying party that can use this token * Issue Date * Expiration Date * [Authentication Time] * [Nonce] : prevent replay attacks * [Name] * [Email] ## Scopes openid is a mandatory scope There a are 4 openid predefined scopes : * profile : access to the default profile claims * email * address * phone ## Identity provider Endpoints Several predefined endpoints exist on the Identity provider * Authorization endpoint * Token endpoint * UserInfo endpoint ## Recommended authorization flows * Authorization code * Authorization code with PKCE (Proof Key for Code Exchange) : for devices ## PKCE