identity 1.0 documentation

OpenID Connect Implicit Client Profile 1.0

«  OpenID Connect Basic Client Profile 1.0   ::   Contents   ::   OpenID Connect Standard 1.0  »

OpenID Connect Implicit Client Profile 1.0

Draft 10, http://openid.net/specs/openid-connect-implicit-1_0.html

Abstract

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect Implicit Client Profile 1.0 is a profile of the OpenID Connect Messages 1.0 and OpenID Connect Standard 1.0 specifications that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth implicit grant type. This specification intentionally duplicates content from the Messages and Standard specifications to provide a self-contained implementation profile for basic Web-based Relying Parties using the OAuth implicit grant type.

OpenID Providers and non-Web-based applications should instead consult the Messages and Standard specifications.

(draft 10, http://openid.net/specs/openid-connect-implicit-1_0.html )

2.1.5.1. End-User Grants Authorization

If the Resource Owner grants the access request, the Authorization Server issues an Access Token and delivers it to the Client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format as defined in Section 4.2.2 of OAuth 2.0 [RFC6749] and OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses].

In the Implicit Flow, the entire response is returned in the fragment component of the redirect URI, as defined in 4.2.2 of OAuth 2.0 [RFC6749].

access_token
REQUIRED. Access Token for the UserInfo Endpoint.
token_type

REQUIRED.

OAuth 2.0 Token Type value.

The value MUST be Bearer or another token_type value that the Client has negotiated with the Authorization Server.

Clients implementing this profile MUST support the OAuth 2.0 Bearer Token Usage [RFC6750] specification. This profile only describes the use of bearer tokens.

id_token
REQUIRED. ID Token.
state

OAuth 2.0 state value.

REQUIRED if the state parameter is present in the Client Authorization Request.

Clients MUST verify that the state value is equal to the exact value of state parameter in the Authorization Request.

expires_in
OPTIONAL. Expiration time of the Access Token in seconds since the response was generated.

The Client can then use the Access Token to access protected resources at Resource Servers.

The following is a non-normative example (with line wraps for the display purposes only):

HTTP/1.1 302 Found
Location: https://client.example.org/cb#
  access_token=SlAV32hkKG
  &token_type=bearer
  &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
  &expires_in=3600
  &state=af0ifjsldkj

( draft 09 , http://openid.net/specs/openid-connect-implicit-1_0.html#implicit_ok )

2.1.5.3. Example Redirect URI Response

The Client must provide a way for the User-Agent to parse the fragment encoded response and post it to the Web Server Client for validation.

The following is an example of a JavaScript file that a Client might host at its redirect_uri. This is loaded by the redirect from the Authorization Server. The fragment is parsed and then sent by POST to a URI that will validate the information received.

Following is a non-normative example of a Redirect URI response:

GET /cb HTTP/1.1
Host: client.example.org

HTTP/1.1 200 OK
Content-Type: text/html
<script type="text/javascript">

// First, parse the query string
var params = {}, postBody = location.hash.substring(1),
    regex = /([^&=]+)=([^&]*)/g, m;
while (m = regex.exec(postBody)) {
  params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);
}

// And send the token over to the server
var req = new XMLHttpRequest();
// using POST so query isn't logged
req.open('POST', 'https://' + window.location.host +
                 '/catch_response', true);
req.setRequestHeader('Content-Type',
                     'application/x-www-form-urlencoded');

req.onreadystatechange = function (e) {
  if (req.readyState == 4) {
    if (req.status == 200) {
// If the response from the POST is 200 OK, redirect the user
      window.location = 'https://'
        + window.location.host + '/redirect_after_login'
    }
// if the OAuth response is invalid, generate an error message
    else if (req.status == 400) {
      alert('There was an error processing the token')
    } else {
      alert('Something other than 200 was returned')
    }
  }
};
req.send(postBody);

(draft 10, http://openid.net/specs/openid-connect-implicit-1_0.html#implicit_callback )

«  OpenID Connect Basic Client Profile 1.0   ::   Contents   ::   OpenID Connect Standard 1.0  »