Basic OpenID Connect Flow with major endpoints
| OIDC EndPoint | Description | Output | General EndPoint(Subject to custamization) |
|---|---|---|---|
| Issuer Endpoint/Base URL | Its the parent URL, which forms as base url for other endpoints to access | NA | http://hostname/default |
| Authorization Endpoint | used for authetication by resource owner | az code | /authorize |
| Token Endpoint | used for retrieving access token | access token | /token |
| User Info Endpoint | used for retrieving claims about user information | user identity infomration | /userinfo |
| Introspection Endpoint | Rturns a current status by consuming access token or refresh token or ID token | true/false | /introspect |
| Revocation endpoint | acts like termintion point for access token/ refresh token | 200 OK, no tokens returned back | /revoke |
| Logout endpoint | logout underlying session of server. | redirects to configured sign-in or output page | /logout |
| Discovery endpoint | List supported endpoints, signing algo suppoted, locale information | Provider Metadata Endpoint | /.well-known/openid-configuration |
Sample Example
| OIDC EndPoint | Input Request | Output Request |
|---|---|---|
| Authorize EndPoint | https://server.provider.com/authorize?response_type=code &client_id=222334 &redirect_uri=https%3A%2F%2Fclient.test.org%2Fcb &scope=openid%20profile &state=statedata |
HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj |
| Token EndPoint | POST /token HTTP/1.1 Host: server.provider.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb |
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-cache, no-store Pragma: no-cache { "access_token":"SlAV32hkKG", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso" } |
UserInfo EndPoint | GET /userinfo HTTP/1.1 Host: server.provider.com Authorization: Bearer SlAV32hkKG |
custom claims based on scopes
{
"sub": "222222", "name": "test User", "given_name": "test", "preferred_username": "zelensky", "email": "testUser@provider.com", } |
No comments:
Post a Comment