Más contenido relacionado La actualidad más candente (20) Similar a CIS 2015 OpenID Connect and Mobile Applications - David Chase (20) Más de CloudIDSummit (20) CIS 2015 OpenID Connect and Mobile Applications - David Chase3. Implicit
• When using the Implicit Flow, all tokens are returned
from the Authorization Endpoint; the Token Endpoint is
not used.
• The Access Token and ID Token are returned directly
to the Client
• The Authorization Server does not perform Client
Authentication.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
4. Implicit Flow
1. Client prepares an Authentication Request
containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
5. Implicit Flow Continued
4. Authorization Server obtains End-User Consent/
Authorization.
5. Authorization Server sends the End-User back to the
Client with an ID Token and, if requested, an Access
Token.
6. Client validates the ID token and retrieves the End-
User's Subject Identifier.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
6. Prepare Authentication Request
• http://openid.net/specs/openid-connect-
implicit-1_0.html#AuthenticationRequest
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
7. Preferences
• System Browser
• Pros
• May have session
• HTTPS is visible
• Con
• Poor UX
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
9. End User grants authZ
• http://openid.net/specs/openid-connect-
implicit-1_0.html#ImplicitOK
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
11. Validate the ID_token
• http://openid.net/specs/openid-connect-
implicit-1_0.html#IDTokenValidation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
12. Access Token Validation
• http://openid.net/specs/openid-connect-
implicit-1_0.html#AccessTokenValidation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
15. Authorization Code
• NO NO NO NO!
• Well… sorta
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
16. Hybrid Flow
• When using the Hybrid Flow, some tokens are
returned from the Authorization Endpoint and others
are returned from the Token Endpoint.
• An example use case is a native application which
passes tokens to backend APIs.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16