/authorize

/authorize

/token

/userinfo

/userinfo

End user

(Resource Owner)

User-Agent

OIDC Client

OIDC Provider

Selected IDP

Service option

Additional Info

Supplementary Service

(Resource Server)

1: login request

1: click login

2: redir: authorize request

2:authorize request

3: redir: auth request

OIDC GUI

re-direct

7: init idp session

3: auth request

re-direct

4: get session params

9: idp gui

10: idp auth

11: auth response

re-direct

17: redir: authorize response

18: authorize response

re-direct

12: redir: consent request

13:  consent request

15: consent gui

re-direct

14: get scopes

16: consent response

re-direct

19: get access token

20 userinfo request

24: login response

22: get additional info

23: userinfo response

/login

/login

6: idp init request

8: idp init response

/session

/idp

/idp

/auth

/consent

/auth

Open session with

OIDC Provider

Analyze OIDC session params to determine IDP handling

Open session with IDP service

Complete session with IDP service

10: interact with

idp gui

15: interact with

consent gui

5: idp selector

5: interact with

selector gui

Close session with

OIDC Provider and

return ID Token

(hybrid flow)

Analyze OIDC session scopes

/scopes

User is authenticated with OIDC Provider via selected IDP Service

IDP Service re-directs  back to OIDC Provider

User is authenticated and has given consented access to additional info

Retrieve additional info on user based on consent

Return Access Token to be used in request for additional info

/introspect

21: validate access token