There are several
How it works
In the below diagram:
User: This represents the end user who is attempting to log in or authenticate with your application.
Your Application: This is your application, which initiates the authentication process with the OIDC Identity Provider.
OIDC Identity Provider (IdP): The Identity Provider is the OIDC service responsible for verifying the user's identity and providing the necessary tokens for authentication.
Here's a step-by-step breakdown of the flow:
- The user initiates the login process by clicking on the login button within your application.
- Your application sends an authorization request to the OIDC Identity Provider by making an HTTP request to the /authorize endpoint.
- The OIDC Identity Provider responds by asking the user for authorization. The user confirms their identity.
- Upon successful confirmation, the OIDC Identity Provider issues an authorization code to your application.
- Your application then exchanges this authorization code for both an ID Token and an Access Token by making another HTTP request to the /token endpoint of the identity provider.
- The OIDC Identity Provider responds by providing the ID Token and Access Token to your application.
- With these tokens, your application can now consider the user as logged in and provide access to the protected resources.
Access Tokens vs ID Tokens
Access Tokens come from the
ID Tokens come from
What to do in your application
The first step is to request authorization from the user. To do this you will need to create an authorization url for the user to click on. Your OIDC identity provider (IdP) should provide the authorization endpoint but you will need to add additional parameters to this URL:
The authorization URL follows the format below:
Other parameters such as state, code_challenge_method and code_challenge may be set for higher security, but the above are the minimum required. You can see an example here
|response_type||Set this to |
|scope||Set this to |
The fallback content to display on prerenderingfrom the /token endpoint.
|client_id||This is a unique identifier for your application after registering it with an identity provider.|
|redirect_uri||Location to send your user after successfully authorizing.|
When a user taps on the authorization URL, authorization begins. The user is sent to the identity provider to confirm login.
If you are using the Beyond Identity Hosted Web Authenticator, all you need to do is add a button for your user with the authorization URL to start the sign in flow.
After the user confirms login, the identity provider redirects back to your application with the authorization code.
Take the authorization code and make a request to the identity provider's token endpoint. This is called the