Obtaining User Authorization
The process of obtaining user authorization for OpenID Connect is nearly identical to the process of obtaining authorization for any OAuth 2.0 enabled API. You can use either the client-side implicit flow (as described in Chapter 3) or the server-side web app flow (as described in Chapter 2).
As with any usage of these flows, the client generates a URL pointing at the OAuth Authorization Endpoint and redirects the user to that URL. The following parameters are passed:
client_id
The value provided to you when you registered your application.
redirect_uri
The location the user should be returned to after they approve the authentication request.
scope
openid
for a basic OpenID Connect request. If your client needs access to additional profile information for the user, additional scopes can be profiled in this space-delimited string:profile
,email
,address
.response_type
id_token
to indicate that anid_token
is required for the application. Additionally, a response type oftoken
orcode
must be included, separating the two response types by a space.token
indicates the client-side Web Application flow, whilecode
indicates the server-side Web Application flow.nonce
A unique value used by your application to protect against replay and cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session). This identical value ...
Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.