Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

The CoreOne Authentication Services uses OpenID Connect as the default protocol. While using this protocol, you are asked to choose one or multiple allowed authentication flows for each of the clients that you are registering. Oftentimes this can be confusing to administrators and developers alike, so this page aims to clarify all the questions you might have.

First off all we need to clarify the naming:

Available Flows

Authorization Code Flow

The authorization code flow allows you to request an authorization code that will be sent front-channel (the web-browser, Android app,…). From there, the front-channel can send the authorization code to the server-side, where the authorization code can be exchanged for an identity token by calling the authorization endpoint.

This flow does no expose the identity token directly to the front-channel. The only thing exposed to the front-channel is the authorization code. As this is vulnerable to the something called authorization code interception, its best-practice to also use PKCE (Proof Key Exchange), which you can simply activate in the client configuration in the CoreOne Suite Admin UI.

PKCE will be mandatory with OAuth 2.1, so it’s a good practice to already use it wherever you can.

Implicit Flow

With the implicit flow, you are sending the identity tokendirectly to the front-channel (the web-browser, Android App,…). That means that the front-channel is in possession of the identity token. For some applications, mostly web-applications, this is convenient as all the data from the token is directly accessible within the browser. But with convenience comes danger, as the identity token is present in the browser. To minimize the risk, the CoreOne Suite Authentication Service requires a nonce by default. But this must be checked by the client library as well.

Hybrid Flow

This flow allows both previous flows to be active at the same time.

Which one should I use?

The general consent here is to use authorization code flow with PKCE wherever possible. In most cases this is possible but this depends on the used library off the application. Developer usually do not have to implement OpenID Connect themselves. For some languages and frameworks like .NET there is built in support for OIDC and the developer simply has to configure it. For other languages like PHP there is no built in support and a developer can use one of the many available libraries. So there is a chance that this library is not supporting the authorization code flow with PKCE. If so, you should try to either use a different library or be aware of the risks that are attached to it.

  • No labels

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.