Chatta subito con l'assistenza
Chat con il supporto

Cloud Access Manager 8.1.2 - How To Develop OpenID Connect Apps

Implicit Flow

You would use this method if your OAuth client was a web application written in JavaScript code which runs in the browser, rather than on a server. In this case, the client app cannot be reliably authenticated (because the client credentials would be accessible to the resource owner and other applications running on the same device as the client). Like the Authorization Code Flow, it too relies on a browser.

The client initiates the flow by directing the user's browser to the authorization endpoint, adding querystrings to the URI as follows:

Table 2. Implicit Flow querystrings
Querystrings
Description

response_type:

Set to “token” to request that the Authorization Server initiate an Implicit Flow.

client_id:

A unique identifier generated by Dell™ One Identity Cloud Access Manager for the client when the application definition is configured.

redirect_uri:

The URI which Cloud Access Manager will redirect the user’s browser to, when authorization processing is complete.

scope (optional):

Used to determine what resources are being requested from the Resource Server.

state (optional):

A value which the client can use to maintain state between request and callback. This can be used to prevent cross-site request forgery.

Cloud Access Manager authenticates the user (using the browser) and establishes whether the user grants or denies the client's access request.

Assuming the user grants access, Cloud Access Manager redirects the browser back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment, for example.

http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&state=xyz&token_type=example&expires_in=3600

The browser follows the redirection instructions by making a request to the web-hosted client resource (which does not include the fragment). The browser retains the fragment information locally.

The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the browser, and extracting the access token (and other parameters) contained in the fragment.

The browser executes the script provided by the web-hosted client resource locally, which extracts the access token.

The browser passes the access token to the client. The access token can then be used to access the required resource.

Approval

Dell™ One Identity Cloud Access Manager does not explicitly prompt the resource owner to approve the client’s request to access a resource. The user is assumed to have given his/her consent in an enterprise context, where resources are not owned by an individual, but by the organization of which that individual is a member.

OAuth v2.0 client types

When configuring your OAuth v2.0 application in Dell™ One Identity Cloud Access Manager, you are required to select its Client Type. OAuth v2.0 specifies two client types: public and confidential. Your choice determines whether Cloud Access Manager will enforce authentication on the client connection.

public

Applications which run in an environment in which the confidentiality of client credentials cannot reliably be protected. Generally, this would include JavaScript applications which execute in the browser, and native applications which run on the end-user’s device. For public client types, Cloud Access Manager does not authenticate the client.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione