IdentityServer Flows

openid-connect openid oauth-2.0 thinktecture-ident-server identityserver3

I faced the same Issue, currently the work still in progress. when I finish the documentation, I might post it here. for time being: please check the draft:

Enrich IdentityServer Documentation with OIDC and OAuth2 Flows section #73

Update: OIDC and OAuth2 Flows


From leastPrivilage's first link: and Aharon Paretzki's OAuth 2 Simplified

Flows decide how the ID token (i.e. the authorization code) and the Access token (i.e. 'the token') are returned to the client:

Authorization Code Flow: OAuth 2.0 flow in which

  • an Authorization Code is returned from the Authorization Endpoint
  • and all tokens (as a second stage, in exchange for the authorization code) are returned from the Token Endpoint
  • Used for server based calls (APIs) that can maintain the confidentiality of their client secret. Allows for stronger security, as long as no-one can access the "client secret".

Implicit Flow: OAuth 2.0 flow in which

  • all tokens are returned directly from the Authorization Endpoint
  • and neither the Token Endpoint nor an Authorization Code are used.
  • Used for mobile and web based apps, that cannot maintain the confidentiality of the client secret, so there is a need to have the token issued by the auth server itself. This is less secure, and it is recommended that the server should be set to deny implicit flow calls for API usage, and allow it only for the browser based and mobile based apps.

Hybrid Flow: OAuth 2.0 flow in which

  • an Authorization Code is returned from the Authorization Endpoint,
  • some tokens are returned directly from the Authorization Endpoint, and others are returned (as a second stage, in exchange for the authorization code) from the Token Endpoint.
  • Used where both flows are needed.

see the specifications - it has been all written down already:

http://openid.net/specs/openid-connect-core-1_0.html and https://www.rfc-editor.org/rfc/rfc6749

in addition i've recently written a summary that breaks it down for different application types:

http://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/

Related

Entity Framework Core: How to get the Connection from the DbContext?
Is it always safe to modify the `**kwargs` dictionary?
How to add data dynamically to mat-table dataSource?
GitHub - Pull changes from a template repository
Continuous Integration for Xcode projects?
Can't download .exe, stuck at 99% for all browsers
Is it possible to keep Windows start menu search from accessing the internet?
How can I record audio to wav format?
How do I disable a program without uninstalling it in Windows 10?
Why did CPU clock speeds stop increasing? [duplicate]
How can I make windows 8 to ignore integrated graphics and only "see" the dedicated GPU?
Hosts file changes are not recognized in Windows 8