Obtaining User Authorization
The process of obtaining user authorization for OpenID Connect is nearly identical to the process of obtaining authorization for any OAuth 2.0 enabled API. You can use either the client-side implicit flow (as described in Chapter 3) or the server-side web app flow (as described in Chapter 2).
As with any usage of these flows, the client generates a URL pointing at the OAuth Authorization Endpoint and redirects the user to that URL. The following parameters are passed:
client_idThe value provided to you when you registered your application.
redirect_uriThe location the user should be returned to after they approve the authentication request.
scopeopenidfor a basic OpenID Connect request. If your client needs access to additional profile information for the user, additional scopes can be profiled in this space-delimited string:profile,email,address.response_typeid_tokento indicate that anid_tokenis required for the application. Additionally, a response type oftokenorcodemust be included, separating the two response types by a space.tokenindicates the client-side Web Application flow, whilecodeindicates the server-side Web Application flow.nonceA unique value used by your application to protect against replay and cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session). This identical value ...
Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
