Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: adding needed space in response types
Warning

This page is under construction

This section guides you through consuming an OpenID connect implicit client profile that is based on implicit flow.Following are the steps involved according to the  The following steps outline the flow according to the OpenID specification. 

  1. Client The client prepares an Authentication Request authentication request containing the desired request parameters.
  2. Client The client sends the request to the Authorization Serverauthorization server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an ID Token The authorization server authenticates the end-user.
  6. The authorization server obtains end-user consent/authorization.
  7. The athorization server sends the end-user back to the client with an ID token and, if requested, an Access Tokenaccess token.
  8. Client The client validates the ID token and retrieves the Endend-Useruser's Subject Identifier.

...

  1. subject identifier.

The following parameters are mandatory and have to be included in the authorization request to include the following parameters:

...

in order to execute this flow. 

Note

Note: The following parameters have a different usage in the implicit flow vs its usage in the authorization code flow.

  • response_type
  • redirect_uri/callback_uri
  • nonce
Parameter
Description
scopeSpecifies the behaviour of the request. 
Value: "openid" 
client_id

...

The OAuth 2.0 Client Identifier valid at the

...

authorization server.
response_type

...

Determines which authorization processing flow is to be used, including what parameters are returned from the endpoints used.
Value:
"id_token token

...

" or "id_token

...

"

  • id_token token

...

  • :  The ID token is issued together with the access token.
  • id_

...

  • token: Only the id token is returned and no access token is returned.
redirect_uri/callback_uri

...

The URI

...

which the authorization server should send the response to.
nonce

...

Associates a

...

client session with an ID Token to mitigate replay attacks. The value is passed through unmodified from the

...

suthentication request to the ID Token.

(The bold parameters have differences between the usage in implicit vs authorization code flow)

Rest of this page addresses how this flow can be tried out with WSO2 Identity Server.

Following are the expected requests and the relevant responses WSO2 Identity Server would generate for this flow.

  • Response_type=id_token

Request
Response

Please refer https://wso2.org/jira/browse/IDENTITY-4247 for a known issue in the above flow and the fix.

Please note nonce value is mandatory parameter here and if didn’t provide scope=openid you won’t get Id Token.
Base64 decoded value of Id Token

Code Block
{"auth_time":1453184484,"exp":1453188084,"sub":"admin@carbon.super","azp":"W2OoSxQDCVrBk1lnffo1NGCKZbQa","at_hash":"DoxjyXzmrL6Z_kWRzmBdCA","nonce":"abc","aud":["W2OoSxQDCVrBk1lnffo1NGCKZbQa"],"iss":"https:\/\/localhost:9443\/oauth2\/token","iat":1453184484}

Id Token does not contain at_hash value since no access token is generated (access token is required to calculate at_hash value)

  • Response_type : id_token token

Request
Response

Here, note that both the access token and IDToken are returned to the client.

...

Panel
titleRelated Topics