Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The end-user navigates the OIDC Client via the User-Agent and selects a login action.
  2. The OIDCClient redirects the User-Agent to the OIDC Provider with a standardized Authorize request. The OIDC Client will regain control in step 16 at a designated redirectURL.
  3. The OIDC Provider opens a session and redirects the User-Agent with an authentication request to the designated URL for GUI handling, which in this case corresponse to the default GUI component. Parameters to the request identifies the session in progress.
  4. The GUI component requests parameters from the OIDC Provider for the session in progress to determine if the OIDC Client has pre-selected a specific IDP or if a selector dialog should be shown to the end-user
  5. A IDP selector dialog is shown to the end-user.
  6. The GUI component sends an init request to the OIDC Provider for the designated IDP Service
  7. The OIDC Provider sends a corresponding init request to the designated IDP Service which opens a session and responds with the necessary parameters to lauch the GUI for the designated IDP.
  8. The OIDC Provider returns the necessary parameters to the GUI component
  9. The GUI component delivers the GUI for the selected IDP to the User-Agent
  10. The end-user interacts with the IDP GUI, which in turn communicates with the IDP Service. Note that the OIDC Client is kept out of this dialogue to prevent any replay attack from any malicious OIDC Client.
  11. After completing the session with the IDP Service, the User-Agent is redirected back to the OIDC Provider with an authentication response. The end-user is now authenticated.
  12. The OIDC Provider redirects the User-Agent to the GUI component for consent handling
  13. The GUI component requests from the OIDC Provider the set of scopes and claims that has been requested by the OIDC Client for the session in progress. For the shown example supplied scopes as associated with the TINFO Service.
  14. The GUI component sends an init request to the OIDC Provider for the TINFO service
  15. The OIDC Provider sends a corresponding init request to the TINFO Service which opens a session for consent handling and responds with the necessary parameters to lauch the GUI for the TINFO Service.
  16. The OIDC Provider returns the necessary parameters to the GUI component
  17. The GUI component delivers the GUI for the TINFO Service to the User-Agent
  18. The end-user interacts with the TINFO GUI, which in turn communicates with the TINFO Service.
  19. The User-Agent is redirected back to the OIDC Provider after consent handling for the TINFO Service. The ID Token for the authenticated user is now being composed according to the reqested scopes.
  20. The ID Token is returned to the OIDC Client in an standardized Authorize response via a redirect of the User-Agent, corresponding to a hybrid OAuth2 flow. An intermediate authorization code is also returned in this step that is used in the next step to request any Access Token.
  21. The OIDC Client sends a standardized Token request to exchange the authorization code from the previous step for an Access Token with the OIDC Provider. For the shown example an Access Token is returned by the OIDC Provider that grants access to the TINFO Service over the Userinfo endpoint in the next step. Note that the token request  does not go through the User-Agent for security reasons. 
  22. The OIDC Client sends the Access Token from the previous step 21 in a standardized Userinfo request to the OIDC Provider to get access to the TINFO Service. The Access Token is a bearer token that provides proof of authorization by the end-user.
  23. The OIDC Provider validates the Access Voken via a standardized Introspect request.
  24. After sucessfull validation of the Access Token, the additional information in question is returned to the OIDC Client in a standardized Userinfo response.
  25. The OIDC Clients returns to the User-Agent a page showing the reponse of the login request along with any additional Information that was retrieved.

 

Warning
titleNote

Steps 7-11 are currently not implemented as shown for BankID on Mobile. The GUI for BankID on Mobile is currently handled by the default OIDC GUI itself. Steps 14-19 Hence, steps 7-11 are currently not implemented as shown for the TINFO Servicethis IDP.

The GUI for the TINFO Service is currently handled by the default OIDC GUI itself.Steps 22-24 . Hence, steps 14-19 are currently not implemented as shown for the TINFO Service.

The TINFO Service is currently handled inside the OIDC Provider itself. Hence, steps 22-24 are currently not implemented as shown.