Advanced topics

Client credentials flow for OpenId Connect and OAuth 2.0

Client credentials flow for OpenId Connect and OAuth 2.0 Overview With Client Credentials Flow (defined in RFC 6749, section 4.4) a Non Interactive Client (a CLI, a daemon, or a Service running on your backend), can directly ask Identify for […]

Passing Request parameters as JWTs

Passing Request parameters as JWTs The request Authorization Request parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. It represents the request as a JWT whose Claims are the […]

Where to return user claims – Access token or ID token

Where to return user claims: Access token or ID token By default, user claims are returned along with the Access token. However, in some cases, our customer wants the user claims to be in the ID token instead. From 5.6 […]

OAuth2.0/OpenID Connect – FAQ

Question: The authorization request which is sent to Identify contains the scope: openid. However the Identify returns the error code: invalid_scope like this sample:

What could be going wrong here? Answer: “openid” is the special scope to define the current OAuth2.0 […]

Hosted forms

What is hosted form Hosted form is a customized html page of Identify Runtime to allow a user to edit html, binding, CSS and JavaScript of that page using REST API or Safewhere Admin and its content is stored in the SharedConfigurationSettings table. Because of security issue, the hardest part of hosted form […]

OAuth 2.0 samples

New samples  AspnetWebMvc   This is a web application using ASP.NET MVC framework. In this sample, it shows how to execute OAuth 2.0 requests using code flow, implicit flow and hybrid flow.   Link: https://github.com/Safewhere/OIDC/blob/master/src/CSharp/AspnetWebMvc   NancyOwinClient  This is a web application using Nancy framework. […]

Enhancements and bug fixes – version 5.5

Enhanced verification URI on device-pairing flow  There are two enhancements on device-pairing flow of Identify version 5.5.   It supports “verification_uri_complete” on device authorization response which is designed for non-textual transmission.   If user_code exists in verification url, fills it into the user code textbox with a message “please confirm that the code […]

Support more options for parameter “prompt” on authorization request

According to OpenId Connect Core specification, authentication request could optionally support prompt parameter for some specific login flows. This parameter specifies whether the Identify OAuth 2.0 server prompts the End-User for re-authentication.  On version 5.4, there are 2 options (‘login’ and ‘none’) supported. From version 5.5, we added […]

Hybrid flow

OpenIDConnect – Hybrid flow Hybrid flow is another OAuth 2.0 feature for which Identify has support from version 5.5. The specification is at https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth. In short, this flow is a combination of the code flow and the implicit flow. It […]

Registration endpoint

Dynamic client registration Dynamic client registration feature is the implementation of RFC 7591 which adds support for a dynamic endpoint that allows you to register OpenID Connect applications dynamically with Identify OAuth 2.0 authorization server. Dynamic client registration endpoint Request URL:

[…]