DEV Community

Graham Cox
Graham Cox

Posted on

5

OAuth 2.0 and OpenID Connect Flows

#oauth2 #openid #discuss

This post is partly for my own benefit, and partly for people to tell me that I've completely misunderstood things. So please, if it's wrong then tell me!

OAuth 2.0 offers two standard flows:

  • Authorization Code Grant - response_type=code
  • OAuth 2.0 Implicit Grant - response_type=token

OpenID Connect then augments these with the following:

  • OIDC Implicit Grant - response_type=id_token token or response_type=id_token
  • Hybrid Flow - response_type=code id_token, response_type=code token or response_type=code id_token token

In actuality, these all work in the exact same way:

  • If response_type contains code then generate and return an Authorization Code that can be exchanged for an Access Token
    • In this case, if scope contains openid then include an ID Token as well as an Access Token in the response from the Token endpoint.
  • If response_type contains token then generate and return an Access Token - though probably a more tightly restricted one that expires sooner.
    • In this case, return the parameters as a Fragment on the redirect. If this is not present then return the parameters as a Querystring instead.
  • If response_type contains id_token then generate and return an ID Token.

These three rules can then be mixed and matched however is wished to give the combinations that are covered in the spec.

However, interestingly enough, if you follow these three rules instead then you get more flexibility. For example, the specs allow for all 7 combinations but only in a specific ordering - which happens to be alphabetical. Ignoring that fact would allow you to also accept:

  • code token id_token
  • token code
  • id_token code token
  • etc

I don't see that there's a whole lot of benefit to this, but the flexibility that you gain by making the rules simpler seems to be of some use.

Additionally, the rules for mandatory inputs are apparently that:

  • scope - always REQUIRED
  • response_type - always REQUIRED
  • client_id - always REQUIRED
  • redirect_uri - always REQUIRED
  • state - always RECOMMENDED
  • nonce - REQUIRED if response_type contains id_token but not code. OPTIONAL otherwise.
    • I don't get this one, but the OpenID Connect specification explicitly marks nonce as REQUIRED only during the OIDC Implicit Flow, and not in the others.

Am I missing anything here? Or is it really that this simpler interpretation gives everything needed from the spec?

Heroku
 Promoted

Heroku

The AI PaaS for deploying, managing, and scaling apps.

Heroku tackles the toil — patching and upgrading, 24/7 ops and security, build systems, failovers, and more. Stay focused on building great data-driven applications.

Get Started

Top comments (0)

Stellar Development Foundation
 Promoted

Dev Diairies image

User Feedback & The Pivot That Saved The Project ↪️

We’re following the journey of a dev team building on the Stellar Network as they go from hackathon idea to funded startup, testing their product in the real world and adapting as they go.

Watch full video 🎥

👋 Kindness is contagious

Discover this thought-provoking article in the thriving DEV Community. Developers of every background are encouraged to jump in, share expertise, and uplift our collective knowledge.

A simple "thank you" can make someone's day—drop your kudos in the comments!

On DEV, spreading insights lights the path forward and bonds us. If you appreciated this write-up, a brief note of appreciation to the author speaks volumes.

Get Started