core/oc-doc
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
91f5f44cea
oc-doc/docs/openid/glossary.md
ycc 91f5f44cea openid & other
2024-12-10 18:01:58 +01:00

2.8 KiB
Raw Blame History

Glossary

Oauth

Ressource owner

The user that will allow the app to read ressources that he/she will grant access for ex: the person that has a mail account

Client

The application that is requesting the ressources to use them on the behalf of the user ex : a mass mailing list service to all your contacts

Authorization server

The application that knows the resource owner because it has an account there ex: the mail server authentication service

Resource server

The API that the client will use on behalf of the user ex : the contact list API

Redirect uri

Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access ex : mass mailing list "contact retrieve success/failure" page

Response type

Response type expeted by the client, usually "code" for an authorization code

Scope

Granular permission that the client wants ex: read contacts, read profile

Consent

The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not ex: access to your contacts ?

Client Id

To identify the client with the authorization server

Client secret

Shared between authorization server and client

Authorization code

Temporary code sent by authorization server to client The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token

Access token

Key the client will use to communicate withe the ressource server

Refresh token

Token to get a new access token

OIDC

Oauth vs Oidc

Oauth provides only a token for application access without any info on the user. OpenId adds information on the user.

  • Oauth enables an app to access ressources
  • Oidc enables an app to establish a login session and to access info about the user

End user

Oauth Resource Owner

Relaying party

Oauth client

Identity provider

OIDC enabled Oauth authorization server

IdToken

JWT token added to access token by OIDC with your identity info.

Claims

Attributes of the Id Token

  • Subject : uid for the user
  • Issuing Authority : url of identity provider
  • Audience : irdentifies the relying party that can use this token
  • Issue Date
  • Expiration Date
  • [Authentication Time]
  • [Nonce] : prevent replay attacks
  • [Name]
  • [Email]

Scopes

openid is a mandatory scope There a are 4 openid predefined scopes :

  • profile : access to the default profile claims
  • email
  • address
  • phone

Identity provider Endpoints

Several predefined endpoints exist on the Identity provider

  • Authorization endpoint
  • Token endpoint
  • UserInfo endpoint

Recommended authorization flows

  • Authorization code
  • Authorization code with PKCE (Proof Key for Code Exchange) : for devices

PKCE