...
The CoreOne Authentication Services uses OpenID Connect as the default protocol. While using this protocol, you are asked to choose one or multiple allowed authentication flows for each of the clients that you are registering. Oftentimes this can be confusing to administrators and developers alike, so this page aims to clarify all the questions you might have.
First off of all we need to clarify the naming:
...
This flow does no expose the identity token
directly to the front-channel. The only thing exposed to the front-channel is the authorization code
. As this is vulnerable to the something called authorization code interception, its best-practice to also use PKCE (Proof Key Exchange), which you can simply activate in the client configuration in the CoreOne Suite Admin UI.
...
The general consent here is to use authorization code flow with PKCE wherever possible. In most cases this is possible, but this depends on the used library off the application. Developer usually do not have to implement OpenID Connect themselves. For some languages and frameworks like .NET there is built in support for OIDC and the developer simply has to configure it. For other languages like PHP there is no built-in support and a developer can use one of the many available libraries. So there is a chance that this library is not supporting the authorization code flow with PKCE. If so, you should try to either use a different library or be aware of the risks that are attached to it.
...
Client credentials
This is the most simplest version of all the flows which can be used to secure connections between two server systems. As the name already indicates, there is no user involved in this flow. The token is issued simply by providing a client_id
and client_secret
to the CoreOne Authentication serverServices. As long as they match, a token is issued, that does not contain any personal information.
It’s good practice to work with, at least on API Resource here. By adding the appropriate api_resource
or to be more precise, a scope
containing the api_resource
to the client configuration in the CoreOne Admin UI. This way you can - like with any other flow as well - indicate the intention of the token. The example below is issued to a test client, and we can clearly see that this client does have access to the cos_app_api
and the cos_auth_api
as indicated in the scope
and the aud
.
...
With a request owner password flow
or simply password flow
, you can request a token on behalf of the user. With this non-interactive flow, you simply send the username and the password of the user with the authorization request. But as this is a non-interactive flow, the username and password of the user most be gathered somehow, so this is mainly used in legacy applications where a user might enter username and password on the applications application's login mask rather than on the CoreOne Authentication Servers Services login form. It's best practice to only use this flow as a way of migrating to a more appropriate flow like authorization code, implicit or hybrid flow.
...
This flow is specifically designed for browserless systems or a system with no input device attached, hence the word device. In this flow, the authentication is outsourced to an external device. This is typically used by IoT devices. A good example might be a smart TV where you have to confirm the login process on your mobile device by clicking on a link that has been sent to your email address. There is only limited support within the CoreOne Authentication Service Services for this flow as of this day.