February 2012
Beginner to intermediate
78 pages
2h 13m
English
Content preview from Getting Started with OAuth 2.0Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Obtaining User Authorization
The process of obtaining user authorization for OpenID Connect is nearly identical to the process of obtaining authorization for any OAuth 2.0 enabled API. You can use either the client-side implicit flow (as described in Chapter 3) or the server-side web app flow (as described in Chapter 2).
As with any usage of these flows, the client generates a URL pointing at the OAuth Authorization Endpoint and redirects the user to that URL. The following parameters are passed:
client_idThe value provided to you when you registered your application.
redirect_uriThe location the user should be returned to after they approve the authentication request.
scopeopenidfor a basic OpenID Connect request. If your client needs access to additional profile information for the user, additional scopes can be profiled in this space-delimited string:profile,email,address.response_typeid_tokento indicate that anid_tokenis required for the application. Additionally, a response type oftokenorcodemust be included, separating the two response types by a space.tokenindicates the client-side Web Application flow, whilecodeindicates the server-side Web Application flow.nonceA unique value used by your application to protect against replay and cross-site request forgery (CSRF) attacks on your implementation. The value should be a random unique string for this particular request, unguessable and kept secret in the client (perhaps in a server-side session). This identical value ...