OAuth 2.0 - Common workflow

  1. The client submits an authorization request to the server, which validates that the client is a legitimate client of its service.
  2. The server redirects the client to the content provider to request access to its resources.
  3. The content provider validates the user's identity, and often requests their permission to access the resources.
  4. The content provider redirects the client back to the server, notifying it of success or failure. This request includes an authorization code on success.​
  5. The server makes an out-of-band request to the content provider and exchanges the authorization code for an access token.

Token management

Authorization code

This is a short-lived token representing the user's access grant, created by the authorization server and passed to the client application via the browser. The client application sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token.​

Access token

This is used by the client to make authenticated requests on behalf of the end-user​. It contains information about the client and the user (if present). The access token is also used to call to the userinfo.idp endpoint to request for additional user's claims.

The following claims can be used within the access token content:

  • iss: This claim identifies the principal that issued the access token. In previous versions, we used Identify Entity Id as the issuer of Identify OAuth 2.0 but it was not compliant to the specification. We fixed it to use Identify runtime’s URL (It is https://#identifydomain/runtime/oauth2 ) from version 5.5.
  • urn:anyid:role: This claim identifies the user authorization when calling the Identify REST API.
  • urn:internal:userid: This claim identifies the Identify user ID. Some Identify REST API methods require the in-use access token containing this claim.

The access token sample:

Refresh token

This is to obtain a new access token (longer life token than access token because of security matter).

ID token

The ID token is an assertion of the end user's authentication state that the authentication server makes to the client. That is, an ID token can be considered proof that a specific user is logged in. The client application uses ID Token to log the user in on its side and is not used against any resource servers. It's also worth noting that ID token is used for SLO too.

The ID token sample:

Note: when doing the logout, there's validation on the ID token audience against client_id field.