This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

This section guides you through consuming an OpenID connect implicit client profile that is based on implicit flow.

Following are the steps involved according to the OpenID specification

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server obtains End-User Consent/Authorization.
  5. Authorization Server sends the End-User back to the Client with an ID Token and, if requested, an Access Token.
  6. Client validates the ID token and retrieves the End-User's Subject Identifier.

To execute the above flow, it is mandatory for the authorization request to include the following parameters:

    • scope - this should be 'openid'
    • client_id - OAuth 2.0 Client Identifier valid at the Authorization Server

    • response_type - for this flow the value should be sent as  'id_token token' or 'id_token'
            • id_token token - ID token is issued together with the access token

            • id_token - No Access Token is returned, just the id token

    • redirect_uri/callback_uri - the URI where the authorization server should send the response
    • nonce - associates a Client session with an ID Token to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.

(The bold parameters have differences between the usage in implicit vs authorization code flow)

The sample here, addresses how this flow can be tried out with WSO2 Identity Server Playground sample.

  • No labels