Dell™ One Identity Cloud Access Manager 8.1 - How to Develop OpenID Connect Apps
What is OAuth v2.0?
What is OpenID® Connect?
OpenID® Connect ID Token
OpenID® Connect Token signing
OAuth v2.0 and OpenID® Connect response types
Obtaining claims from Cloud Access Manager
OpenID® Connect discovery
When would you use OAuth v2.0 and OpenID® Connect?
Using the OpenID® Connect Flow Test Tool
Legal notices
Client machine
Cloud Access Manager administration
Exchanging set up information between Cloud Access Manager and client machine
Cloud Access Manager administration
Client machine
Building your OpenID® Connect client
Example: Providing OpenID® Connect SSO to a Salesforce.com Auth Provider
Dell™ One Identity Cloud Access Manager 8.1 - How to Develop OpenID Connect Apps
What is OAuth v2.0?
OAuth v2.0 is a standard for securely granting access to a web resource. With OAuth v2.0, an application (the client) can ask a service (the authorization server) for permission to access a private resource hosted on a resource server, and owned by an end-user (the resource owner). To grant permission to access the resource, the authorization server must authenticate the resource owner and obtain his consent.
The specification for OAuth v2.0 is available to view online at https://tools.ietf.org/html/rfc6749 which contains this example:
OAuth v2.0 flows
|
• |
Authorization Code Flow
① The client initiates the flow by directing the user's browser to the authorization endpoint, adding querystrings to the URI as follows:
|
Set to “code” to request that the Authorization Server initiate an Authorization Code flow. | |
|
Used to determine what resources are being requested from the Resource Server. | |
② Cloud Access Manager authenticates the user (using the browser) and establishes whether the user grants or denies the client's access request.
③ Assuming the user grants access, Cloud Access Manager redirects the browser back to the client using the redirection URI provided earlier. The redirection URI includes an authorization code and any local state provided by the client.
④ The client requests an access token from Cloud Access Manager's token endpoint by including the authorization code received in the previous step. When making the request, if it is a confidential client (see below) the client authenticates with Cloud Access Manager using HTTP basic authentication (with the Client ID as the username and the Shared Secret as the password). The client includes the redirection URI used to obtain the authorization code for verification.
⑤ Cloud Access Manager authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step ③. If valid, Cloud Access Manager responds with an access token. The access token can then be used to access the required resource.