Closed jawadatgithub closed 9 years ago
Yes, all good ideas. 1) It's a time thing -- we only have so much time, and 2) I'm not sure we see it as our responsibility to document the specs to be more human readable. Of course this helps so that people can understand IdSvr better, but it gets back to the time issue and priorities.
Of course, this is where the community can get involved -- feel free to make a blog post. We can certainly link to it.
thanks for the input, please keep this issue open until I refine my understanding of the topic and update the post periodically [I assume one week will be sufficient]. at the end this should help save time to quickly answer many questions raised under IdentityServer3, I will also try to contribute in community questions.
about the OIDC and OAuth2 specs, its very hard to draw conclusion for use cases of Flows. so I will try to document my understanding of that gradually.
when I start looking to IdentityServer3 I wanted like many others (as appear in IdentityServer3 issues) to avoid the login redirect, but after reading and watching all your videos as well Dominick videos. I understood that's not the way to go unless I am fine with losing valuable features of IdS3 STS such SSO.
about blog post: yes I will do that in case you don't want include section for flows.
thanks again for your time.
Thank you, I think people will find this very useful. IdSrv has a very clean and well designed code, but it's still hard to grasp all the functionality from code. Documentation like this helps me and other people get started faster as people usually don't dive in the specs first to explore a new library. @jawadatgithub you can also create a public gist for this so people can fork it and help you with updates. But it would be best if it is added next to the rest of the IdSrv docs.
"don't imagine that all authentication requests in all flows handled by Authorization endpoint, Authorization Endpoint will only provide authentication (identity token) for Implicit flow."
Are you sure? In the samples I see Hybrid clients, MVC FormPost client, MVC CodeFlowClient also use the Authorization endpoint.
@omidkrad
Hybrid
you are correct, I updated.FormPost client
: Defines how to return OAuth2/OIDC Response parameters: means its not introducing new flow, based on my understanding FormPost
only work with (depends on) code, Implicit & Hybrid flows check here.code
, but Id_token (authentication request) obtained from token endpoint. in other words, in code flow: authorization endpoint not responsible for authentication, in samples: you can see it clearly.note
later that clarify OIDC authentication extension for OAuth2: in summary: OIDC authentication is based on Authenticate User Identity only, in OAuth2 all flows require authentication but not in the context of user identity. (for example: Client Credential Flow is not meant at all with user identity (or OIDC in general) but its still include authentication.Regarding # 2, I think it also includes Code flow? no?
thanks for following up,
I am not sure what you mean by # 2. let me clarify further, please notice the bold terms:
In other words, don't imagine that all authentication requests in all flows handled by Authorization endpoint, Authorization Endpoint will only provide authentication (identity token) for Implicit flow and Hybrid flow.
as I explained in point 4: CodeFlow: as explained in 'vs' question: Authorization Endpoint only provide code, but Id_token (authentication request) obtained from token endpoint. in other words, in code flow: authorization endpoint not responsible for authentication, in samples: you can see it clearly.
does that answer and clarify your input?
I finished drafting the document. I followed @omidkrad advice and made Gist:
Please let me know if you have any further comments or feedbacks within 24 hours before closing this issue. I hope its good enough to be embedded in Identityserver3 docs or at least linked..
This looks good @jawadatgithub, also thanks for clarifying about CodeFlow.
Thanks. Valuable post!!!
Hi,
I think OIDC and OAuth2 Flows are core concept that need to be well documented in separate section, currently I am not able to arrive to decision on what flow (or grant) I should use. understanding each flow and providing recommendation where each flow best fit through use cases would save big time for the community, avoid confusions and reduce implementation variations.
I didn't come here to complain, I appreciate the hard work and high quality efforts invested in IdentityServer3. I would like to list and share my current understanding of flows:
[Important] Choosing wrong flow leads to security threat.
Part one: Flow Types and Origin
- OAuth2 standard specs defined 4 grants + extensibility for custom grant:
Part Two: Explaining each of the five flow types
A. its mechanism/approach/process (set of steps) that allow client to obtain token(s) from STS/OP through Endpoints. in other words, the whole life cycle of any Authentication & Authorization request is bound by one of the flows. so its essential to first understand the meaning of endpoints, clients, tokens and terms already explained in IdentityServer3 docs.
A. In all flow types, any Authentication/Authorization request will be received by Authorization Endpoint or Token Endpoint only. so only two Endpoints handle the initial request. all other endpoints play important roles but not used during Authentication/Authorization request. and since flows focus on how Authentication/Authorization request being handled, this document will only focus on Authorization Endpoint & Token Endpoint.
- Authorization Endpoint: (in IdentityServer3 docs called: Authorization/Authentication Endpoint) Used to request:
You either use a web browser or a web view to start the process.
- Token Endpoint: Used to programmatically request or refresh tokens (authorization code flow, hybrid flow, resource owner password credential flow, client credentials flow and custom grant types).
[Important] ID tokens are meant for the client. Access tokens are meant for APIs. Don't send id tokens to APIs. ONLY case id_token sent to STS is EndSessionRequest but its optional.
Q. Which Flow Type in OpenID Connect (OIDC) / IdentityServer3 best fit the SPA use case?
A. Implicit flow designed for spa, client apps without server-side. Implicit flow is the default flow in IdentityServer3. although Implicit flow require redirectUri, it should be known that Google, Facebook, MS, Twitter, StackOverflow, GitHub, Yahoo...all follow the redirectUri concept. the main idea is any client (like web browser, native app) can't be trusted in Internet zone. in other words, if the SPA deployed in Intranet zone (on premise where all clients and users well known) (trusted environment) then its possible to honor seamless login experience over security. but since Intranet is pretty fast I still recommend to use Implicit flow for sake of consistency (would you like to make different branch of your code base if later on same SPA need to be deployed over internet?!)
Q. Which Flow Types designed to be used ONLY in trusted environment (like backend REST API/ micro-services isolated from internet, or owned servers/devices, in general: trusted OAuth2 clients)?
A.
Q. Authorization Code vs Implicit vs Hybrid vs Resource Owner Password Credential vs Client Credential Flows?
A. Authorization Code Flow:
code
obtained, webserver can talk with STS through the receivedcode
to obtain access token without browser involvement .Implicit Flow:
Hybrid Flow:
response_type
value in the initial request to authorization endpoint) (if all tokens returned from token endpoint Hybrid Flow will be clone of Authorization Code Flow).response type
of code combined with some other response type, e.g. id_token or token (or both).Resource Owner Password Credential Flow:
id_token
can't be obtained).Client Credential Flow:
id_token
can't be obtained).http://identityserver.github.io/Documentation/ https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows http://wso2.com/library/articles/2014/06/open-id-connect/ http://leastprivilege.com/ http://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 http://tools.ietf.org/html/rfc6749 http://openid.net/specs/openid-connect-core-1_0.html