OpenID Connect Flows

OpenID Connect

OpenID Connect presents three flows for authentication. These dictate how the authentication is handled by the OpenID Connect provider.

Authorization Code Flow

The authorization code flow returns an authorization code (like it says on the tin) that can then be exchanged for an ID token and access token. This requires client authentication using a client id and secret to retrieve the tokens from the back end and has the benefit of not exposing tokens to the User Agent. This flow allows for long lived access (through the use of refresh tokens).

Clients using this flow must be able to maintain a secret.

This flow obtains the authorization code from the Authorization Endpoint and all tokens are returned from the token endpoint.

Implicit Flow

The implicit flow requests tokens without explicit client authentication, instead using the redirect URI to verify the client identity. Because of this, long lived tokens are not allowed. From the middleware's point of view this is the simplest to implement, as it only needs to redirect to the user the location of the OpenID Connect provider.

This flow obtains all of its tokens from the Authorization endpoint.

Hybrid Flow

The hybrid flow is a combination of aspects from the previous two. This allows the client to make immediate use of an identity token and optionally retrieve an authorization code via one round trip to the authentication server. This can be used for long lived access (again through the use of refresh tokens). It is worthwhile noting that this is the only flow supported by Microsoft OpenID Connect authentication middleware.

This flow gets an authorization code from the authorization endpoint, with some tokens returned from the authorization endpoint and others from the token endpoint.

Authentication Flow Comparison Image nabbed from OpenID Connect 1.0 Core Specification.

It's about time I actually start talking about something a bit more practical, so my next post will start to cover my experiences with Thinktecture's Identity Server and Identity Manager and explain some more of the concepts that way.


Share this article: