how to guides

Identify – Attribute query

Identify – Attribute query Introduction The SAML 2.0 attribute query feature extends the capability of the SAML 2.0 protocol. The traditional SAML 2.0 function requires that the identity provider sends the federation partner all required user attributes. The attributes are […]

Token endpoint

Token endpoint To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client) sends a Token Request to the Token Endpoint to obtain a Token Responses. Request URL:

URI parameters: Parameter Description client_id The […]


Terminology OAuth 2.0 – Common workflow The client submits an authorization request to the server, which validates that the client is a legitimate client of its service. The server redirects the client to the content provider to request access to […]

Support Authorization code grant

Support Authorization code grant (PKCE) OAuth 2.0 public clients using the Authorization Code Grant are susceptible to the authorization code interception attack. The Identify’s OAuth 2 implementation fully supports Authorization code grant (PKCE) which can mitigate against the threat through […]

OAuth2.0 session management with SSO/SLO scenario

OAuth2.0 session management with SSO/SLO scenario Identify OAuth 2.0 has full support for the session management specification. Discovery endpoint You can check the discovery endpoint of your Identify instance to see if the check_session_iframe and the end_session_endpoint feature have been […]

OAuth 2.0 – Resource Owner Password Credentials grant

OAuth 2.0 – Resource Owner Password Credentials grant Overview

The Resource Owner Password Credentials Grant (defined in RFC 6749, section 4.3) can be used directly as an authorization grant to obtain an access token, and optionally a refresh token. […]

Client authentication support: private_key_jwt

Client authentication support: private_key_jwt Identify OAuth 2.0 service provider allows its users to authenticate their clients with a private_key_jwt method. When an authorization server authenticates its clients with the private_key_jwt method, the clients must send a request that contains an […]

Pairwise Pseudonymous Identifier (PPID)

Pairwise Pseudonymous Identifier (PPID) Per the OpenID Connect core specification:

Identify supports both public and pairwise subject types as follows: public: Each client receives the same subject (sub) value. pairwise: Each client receives a different subject (sub) value to […]

OAuth 2.0 – Device flow

OAuth 2.0 – Device flow Overview The device flow is designed for devices that either do not have access to a browser or have limited input capabilities. This flow allows users to share specific data with an application while keeping […]

Client credentials flow for OpenId Connect and OAuth 2.0

Client credentials flow for OpenId Connect and OAuth 2.0 Overview With Client Credentials Flow (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Identify for […]