openid & other
This commit is contained in:
ycc
104
docs/openid/glossary.md
Normal file
104
docs/openid/glossary.md
Normal file
@@ -0,0 +1,104 @@
|
||||
# Glossary
|
||||
|
||||
# Oauth
|
||||
|
||||
## Ressource owner
|
||||
The user that will allow the app to read ressources that he/she will grant access for
|
||||
ex: the person that has a mail account
|
||||
|
||||
## Client
|
||||
The application that is requesting the ressources to use them on the behalf of the user
|
||||
ex : a mass mailing list service to all your contacts
|
||||
|
||||
## Authorization server
|
||||
|
||||
The application that knows the resource owner because it has an account there
|
||||
ex: the mail server authentication service
|
||||
|
||||
## Resource server
|
||||
|
||||
The API that the client will use on behalf of the user
|
||||
ex : the contact list API
|
||||
|
||||
## Redirect uri
|
||||
Url that will be used by the authorization server to send back the ressource owner to the client app after consenting to ressources access
|
||||
ex : mass mailing list "contact retrieve success/failure" page
|
||||
|
||||
## Response type
|
||||
Response type expeted by the client, usually "code" for an authorization code
|
||||
|
||||
## Scope
|
||||
Granular permission that the client wants
|
||||
ex: read contacts, read profile
|
||||
|
||||
## Consent
|
||||
The auhorization server takes the scopes that the clients requests and let the ressource owner choose to acccept them or not
|
||||
ex: access to your contacts ?
|
||||
|
||||
## Client Id
|
||||
To identify the client with the authorization server
|
||||
|
||||
## Client secret
|
||||
Shared between authorization server and client
|
||||
|
||||
## Authorization code
|
||||
Temporary code sent by authorization server to client
|
||||
The client then privately sends the authorization code along with the client secret to tha authorization server, in exchange for an access token
|
||||
|
||||
## Access token
|
||||
Key the client will use to communicate withe the ressource server
|
||||
|
||||
## Refresh token
|
||||
Token to get a new access token
|
||||
|
||||
# OIDC
|
||||
|
||||
## Oauth vs Oidc
|
||||
Oauth provides only a token for application access without any info on the user. OpenId adds information on the user.
|
||||
* Oauth enables an app to access ressources
|
||||
* Oidc enables an app to establish a login session and to access info about the user
|
||||
|
||||
## End user
|
||||
Oauth Resource Owner
|
||||
|
||||
## Relaying party
|
||||
Oauth client
|
||||
|
||||
## Identity provider
|
||||
OIDC enabled Oauth authorization server
|
||||
|
||||
## IdToken
|
||||
JWT token added to access token by OIDC with your identity info.
|
||||
|
||||
## Claims
|
||||
Attributes of the Id Token
|
||||
* Subject : uid for the user
|
||||
* Issuing Authority : url of identity provider
|
||||
* Audience : irdentifies the relying party that can use this token
|
||||
* Issue Date
|
||||
* Expiration Date
|
||||
* [Authentication Time]
|
||||
* [Nonce] : prevent replay attacks
|
||||
* [Name]
|
||||
* [Email]
|
||||
|
||||
## Scopes
|
||||
openid is a mandatory scope
|
||||
There a are 4 openid predefined scopes :
|
||||
* profile : access to the default profile claims
|
||||
* email
|
||||
* address
|
||||
* phone
|
||||
|
||||
## Identity provider Endpoints
|
||||
Several predefined endpoints exist on the Identity provider
|
||||
* Authorization endpoint
|
||||
* Token endpoint
|
||||
* UserInfo endpoint
|
||||
|
||||
## Recommended authorization flows
|
||||
* Authorization code
|
||||
* Authorization code with PKCE (Proof Key for Code Exchange) : for devices
|
||||
|
||||
## PKCE
|
||||
|
||||
Reference in New Issue
Block a user