OpenID Connect Implicit Client Profile

This section guides you through consuming an OpenID connect implicit client profile that is based on implicit flow.

Following are the steps involved according to the OpenID specification. 

1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an ID Token and, if requested, an Access Token.
6. Client validates the ID token and retrieves the End-User's Subject Identifier.

To execute the above flow, it is mandatory for the authorization request to include the following parameters:

• • scope - this should be 'openid'

  • client_id - OAuth 2.0 Client Identifier valid at the Authorization Server

  • response_type - for this flow the value should be sent as  'id_token token' or 'id_token'

    • • • • id_token token - ID token is issued together with the access token

          • id_token - No Access Token is returned, just the id token

  • redirect_uri/callback_uri - the URI where the authorization server should send the response
  • nonce - associates a Client session with an ID Token to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.

(The bold parameters have differences between the usage in implicit vs authorization code flow)

Rest of this page addresses how this flow can be tried out with WSO2 Identity Server.

Following are the expected requests and the relevant responses WSO2 Identity Server would generate for this flow.

• Response_type=id_token

Request

https://localhost:9443/oauth2/authorize?response_type=id_token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://localhost:8080/playground2/oauth2client&nonce=abc&scope=openid 

Response

http://localhost:8080/playground2/oauth2client#token_type=Bearer&expires_in=60&id_token=eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTMxODQyNTcsImV4cCI6MTQ1MzE4Nzg1Nywic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiVzJPb1N4UURDVnJCazFsbmZmbzFOR0NLWmJRYSIsImF0X2hhc2giOiJRMXdwcURSOVpvV2NjQjNUbUl0Q0x3Iiwibm9uY2UiOiJhYmMiLCJhdWQiOlsiVzJPb1N4UURDVnJCazFsbmZmbzFOR0NLWmJRYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NTMxODQyNTd9.iZSsb9PGC6lK0_fZe6R46BuiJs029F2NpA7GFv5NtI9T4h8p64qwBX-A0LEqOxg3H02OHIV22zKti8WoPsruFZmeAT75__kUHij_b3JM34kUuus478c1qBWFFKzR1EIReEj7Rf2UxYAPixgmPhuutQjJhAXqSwSiRlOR_tDp1Do

Please refer https://wso2.org/jira/browse/IDENTITY-4247 for a known issue in the above flow and the fix.

Please note nonce value is mandatory parameter here and if didn’t provide scope=openid you won’t get Id Token.
Base64 decoded value of Id Token

{"auth_time":1453184484,"exp":1453188084,"sub":"admin@carbon.super","azp":"W2OoSxQDCVrBk1lnffo1NGCKZbQa","at_hash":"DoxjyXzmrL6Z_kWRzmBdCA","nonce":"abc","aud":["W2OoSxQDCVrBk1lnffo1NGCKZbQa"],"iss":"https:\/\/localhost:9443\/oauth2\/token","iat":1453184484}

Id Token does not contain at_hash value since no access token is generated (access token is required to calculate at_hash value)

https://localhost:9443/oauth2/authorize?response_type=id_token%20token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://localhost:8080/playground2/oauth2client&nonce=abc&scope=openid

http://localhost:8080/playground2/oauth2client#access_token=bb2157fce1266331c7802a8a1f6a33e1&id_token=eyJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWHRhdktnTGtBT18zVUFfMmstay1YUSIsInN1YiI6ImFkbWluQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJOZ1RJQ1hGUFludDdFVFVtNkZjOE5NVThLMzhhIl0sImF6cCI6Ik5nVElDWEZQWW50N0VUVW02RmM4Tk1VOEszOGEiLCJhdXRoX3RpbWUiOjE0NTI5NjkwNDUsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTQ1Mjk3MzU1OSwibm9uY2UiOiJhYmMiLCJpYXQiOjE0NTI5Njk5NTl9.PNJl3gkC85zxZVclbaSR_5rFPUApBLD1vWQ1nkQUwzSNxA3A0SU2VJOLfGK-R1FQ_xQaC_MaZsfAvxm5h5o9_KTxWvYY8KuGEvqSz5uecE0ykArBBmLf1Sk0nT5MxVGcVvTRx6swkWZRtxIlcofnMoQKuephwXASPWdcJIhoJH0&token_type=Bearer&expires_in=2386