01 January 2019

OAuth 2.0 and OpenID Connect (OIDC) flows

4 flows for OAuth 2.0:
  • Code flow:
    • auth server sends auth authorization code then client uses the code to get the access token
    • fit for web apps (where the work is done over a front-channel) 
    • has refresh token
  • Implicit flow:
    • auth server sending the access token directly
    • fit where the client is a native app (mobile, desktop, etc)
    • doesn't have a refresh token, but some people work around it.
  • Resource owner credential flow:
    • the client app gets a token by sending the username/password of the resource owner to the auth server
    • fit for enterprise-trusted apps (like on-prem services, like on-prem JIRA server when user enter his LDAP credentials), or regular client apps that connect to the corresponding backend service. (like mobile front-end connects to the backend, so the resource owner enters his own username/password into the client app to get an access token and a refresh token)
    • has refresh token.
  • Client credential:
    • service-to-service flow, no human interaction.
OpenID Connect (OIDC) builds on top of OAuth 2.0 by adding extra staff like id_token and userInfo endpoint and it reuses the first two flows (code & implicit for server and native clients respectively)

No comments: