Accueil > OpenID Connect OAuth Server by DnC > Develop > OpenID Connect

OpenID Connect is an authentication protocol built on top of OAuth 2.0 which forms the authorization delegation layer.
Find more information in the french version.

OpenID Connect : Grant Type flows

  (publié initialement le vendredi 3 mai 2019) par DnC

The Grant Type flows specifically defined for the OpenID Connect protocol are :
- Authorization Code Grant,
- Implicit Grant,
- Hybrid Flow.


See also : OpenID Connect : Summary of all authorization flows.


Authorization Code Flow (spec. : Authorisation code flow) - the most commonly used stream for traditional web applications as well as native / mobile applications. Involves an initial redirection of the browser to the authentication server for authentication and user consent, and then a second request from the client application to retrieve the ID token.

The flow diagram is identical to its counterpart of OAuth 2.0, the difference being the Token Token that accompanies the access token.

The signing of this token provides protected resource servers (RS) with the opportunity to validate the token locally, provided that a key form is known to them.

Authorization code flow provides optimal security because :
- the application secret, resident on the server, is protected,
- tokens are not revealed to the browser (only run in a server-server connection),
- the client application can be authenticated, just like the end user,
- the signature of the token binds indissolubly : the identity of the end user, the identity of the application, the scope of the authorization.

The implementation of this flow within the framework of OAuthSD is detailed here : OpenID Connect : Autorisation via un code (Authorization Code Flow).

Implicit Flow (spec. : Implicit flow) - for browser-based applications that do not have a backend, such as a Javascript application. This stream is also used for single page applications (SPA). The identification token is received directly with the redirection response of the OP. No call to the return channel is required here. Because of this, the client can not be authenticated.

The implementation of this flow within the framework of OAuthSD is detailed here :Autorisation implicite.

Hybrid Flow (spec. : Hybrid Flow) - Essentially a combination of code and implicit flows, rarely used. It reads : "Allows the front-end and back-end application to receive tokens separately from each other". It seems more secure and just as easy to separately apply a flow of code and an implicit flow.

The Implicit and Hybrid feeds are implemented by OAuthSD but their use is discouraged because they do not have the security advantages attached to OpenID Connect :
- they compromise the application secret which is easily accessible to the public,
- they expose the tokens to the browser of the end user, which makes possible exploitation by a malware,
- they do not authenticate the client application.

Notes :
- The features of OAuth 2.0 are integrated into the OpenID Connect protocol. All features of OAuth 2.0 and OpenID Connect can therefore be reached by OpenID Connect Endpoints, especially OAuth 2.0 Client / User Credentials. All flows are summarized here : OpenID Connect : Synthèse des flux d’autorisation (Grant Type).
- The Hybrid flow is only partially implemented by OAuthSD. This method is little used and can be advantageously replaced by a succession of calls to the first two.