Skip to main content

Sample OpenId-Connect request

Authorization code flow

1. The client application creates a random String, named nonce, and sends to he user the following URL:

https://<identityprovider>/authorization?

redirect_uri=https://<serviceprovider>/response&

client_id=MYCLIENT&

nonce=12345679801234567890&

scope=openid&

response_type=code

2. Then, the user will be asked for a username and password, or any other means of authentication. After authenticating the user, the browser will be redirected to the URL configured in the service provider page, adding a one-time authorization code.

https://<serviceprovider>/response/?
code=XXXXXXXXXXXXXXX&
nonce=12345679801234567980

3. Once the service provider has received the one-time authorization code, it can connect to the identity provider to retrieve the oauthoAuth token, as well as the OpenID token.

POST https://<YOUR_SERVER>:2443/token

Accept: application/json

Authorization: Basic dGVzdDp0ZXN0

Content-Type: application/x-www-form-urlencoded

 

grant_type=authorization_code&code=XXXXXXXXXXXX

 The parameters sent are:

  • Authorization: contains, coded in base 64, the client id and the client secret, as it would have been sent for a standard Basic authentication header. The identity provider will match these against the stored credentials.

  • grant_type: should be authorization_code.

  • code: should be the one-time authorization code received in the previous requested.

The response will look like this

{

&&TODO&&    "access_token":"8bDP2P...",

    "refresh_token":"gjLmSW...",

    "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...",

    "token_type":"Bearer",

    "expires_in":11998

}

  • The id_token  tag contains the OpenId token.
  • The access_token tag contains the oAuth token.

1.4. TheBefore clthe number of seconds specified om expires_in are elapsed, the token can be renewed by invoking again the token endpoint changing the grant_type:

POST https://<YOUR_SERVER>:2443/token

Accept: application/json
Authorization: Basic dGVzdDp0ZXN0
Content-Type: application/x-www-form-urlencoded

 

 grant_type=refresh_token&refresh_token=XXXXXXXXXXXX

The parameters sent are:

  • Authorization: contains, coded in base 64, the client id and the client secret, as it would have been sent for a standard Basic authentication header. The identity provider will match these against the stored credentials.
  • grant_type: should be refresh_token.
  • refresh_code: should be refresh code received in the previous requested.

The response will look like this:

{

1.  The  cl"access_token":"8bDP2P...",

    "refresh_token":"gjLmSW...",

    "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...",

    "token_type":"Bearer",

    "expires_in":11998

}

User’s password + client credentials flow