Reputation: 1024
OpenIDConnect Response Type Confusion
I've spend the last few days reading through all the specs with regards to OAuth2 and OpenIDConnect and implementing a test client using Thinktecture Identity Server. I've also followed several pluralsight courses and I think understand the main gist of it. However i'm still extremely confused about the Response Types.
OpenIDConnect spec specifies that the Hybrid flow response types are a combination of "code", "id_token" and "token". I understand the "id_token" allows us to get access to basic id information initially.
I also understand code" refers to the authorization code and "token" refers to an access token and combining "code" with one or both of the other two triggers the flow but my understanding was that you swap an authorization code for an access token in the Authorization flow, while the Implicit flow supplies the Access Code implicitly?
Could someone clear up my confusion?
Upvotes: 21
Views: 29628
Answers (4)
Reputation: 28435
To understand the possible relationships between Response Types and Grant Types see IdentityServer4\Constants.cs
public static readonly Dictionary<string, string> ResponseTypeToGrantTypeMapping = new Dictionary<string, string>
{
{ OidcConstants.ResponseTypes.Code, GrantType.AuthorizationCode },
{ OidcConstants.ResponseTypes.Token, GrantType.Implicit },
{ OidcConstants.ResponseTypes.IdToken, GrantType.Implicit },
{ OidcConstants.ResponseTypes.IdTokenToken, GrantType.Implicit },
{ OidcConstants.ResponseTypes.CodeIdToken, GrantType.Hybrid },
{ OidcConstants.ResponseTypes.CodeToken, GrantType.Hybrid },
{ OidcConstants.ResponseTypes.CodeIdTokenToken, GrantType.Hybrid }
};
Upvotes: 20
Reputation: 415
https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660#9401
6. response_type=code token
When the value of response_type is code token, an authorization code and an access token are issued from the authorization endpoint, and an access token is issued from the token endpoint. In addition, if openid is included in the scope request parameter, an ID token is issued from the token endpoint, too.
Both the authorization endpoint and the token endpoint issue an access token, but the contents of the access tokens are not always the same. Regarding this, “3.3.3.8. Access Token” in OpenID Connect Core 1.0 says as follows:
If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case for the response_type values code token and code id_token token, their values MAY be the same or they MAY be different. Note that different Access Tokens might be returned be due to the different security characteristics of the two endpoints and the lifetimes and the access to resources granted by them might also be different.
Upvotes: 0
Reputation: 683
Your thoughts about Authorization Code Flow and Implicit Flow are right. But I think you are over-complicating the hybrid flow. When using hybrid you just simply can get both code and id_token.
After that, either you can grab code and exchange it for access token or just use the id_token (or access token) directly. Both approaches have their own flaws, especially in terms of security.
Upvotes: 1
Reputation: 53928
The following statements that you made are correct:
coderefers to the Authorization Codetokenrefers to an Access Token or (access_token)- in the Authorization Code flow one switches the
codefor anaccess_token
But part of your confusion may originate from terminology mixup:
- the term Authorization flow is not entirely correct; its official name is Authorization Code flow
- the term Access Code does not exist
- the Implicit flow does not have an Authorization Code (nor Access code) in fact there's no credential (or grant) involved at all that allows the Client to get tokens from the Token endpoint, hence it's name
As @juanifioren pointed out, Hybrid flows combine things:
- the
code id_tokenflow would get acodeandid_tokenin the Authentication Response directly but you'd use thecodeto get anaccess_tokenfrom the Token endpoint - the
code tokenflow would get acodeandaccess_tokenin the Authentication Response directly but you'd use thecodeto get anid_tokenand possibly anotheraccess_tokenin the backend from the Token endpoint - the
code id_token tokenflow would get acode,access_tokenand anid_tokenin the Authentication Response directly and you could use thecodein the backend to get anotheraccess_tokenfrom the Token endpoint
Getting an access_token from the Token endpoint differs from getting it from the Authorization endpoint because the confidential clients authenticate themselves to the Token endpoint (and not to the Authorization endpoint). Hence the access_token for the confidential part of the client might have more permissions and or a longer life.
See also a short thread on the spec mailing list on this topic: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150209/005229.html
Upvotes: 38
Related Questions
- grant_type vs response_type in OAuth2.0/OIDC
- Microsoft OpenIdConnect Owin Response
- oAuth Client - change response_type
- response_type and grant_type in OAuth2.0/OIDC specifications
- How to set oidc ResponseType to get both claims and access_token?
- Open ID Connect Multiple response types
- OpenID Connect: Is it an error to request scope openid with response_type token
- ASP.Net Identity 2 - custom response from OAuthAuthorizationServerProvider
- IdentityServer3 rejecting responsetypes that appear in openid "wellknown" configuration
- Usage of response_type="code token" in OAuth 2?