Reputation: 8582
Can you explain the RP->OP part in openid connect flow?
I don't understand the 1 part.
For example, I have a website asdf.com and use google OP, so I have a login with google button with a link(something like https://account.google.com/XXX?return_url=asdf.com) to google site on my website.
So the user will click this button to login, so I think the 1 step should be enduser -> OP ? why RP -> OP ?
Upvotes: 5
Views: 7624
Answers (2)
Reputation: 4467
Yes I would say you are right: The first request to the OP comes from the end user.
The RP normally builds the request to the OPs authorise endpoint, but it then either redirects the end user's browser to that endpoint (e.g. via an HTTP 302 response) or it places the built URL as an action on a link/button on the html page returned from the RP to the end user.
This appears to be missing on the diagram.
Upvotes: 0
Reputation: 116868
Lets look at this in pieces might as well take them all. This is called the Oauth2 dance or three legged Oauth2 flow. There are three steps in the dance to get authorization. There are two main players the Client Application and the Authentication server with the resource owner playing a side roll.
Step 1:
[Client Application] contacts Authentication sever. Says i have a user who would like to consent to login to my application.
[Authentication server] sure no problem user must login first then I will display them a consent screen
https://accounts.google.com/o/oauth2/auth?client_id={clientid}.apps.googleusercontent.com&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=https://www.googleapis.com/auth/analytics.readonly&response_type=code
[Resource owner (user)] Hits consent.
Step 2:
[Authentication server] responds to the client. Hey your user says you can access this here is an authorization code.
[Client Application] Thanks for the authorization code here have it back and my client id and secret (client id and secret are baslicly login and password for the client identifying it to the authorization server) this should verify to you that i am me.
https://accounts.google.com/o/oauth2/token code=4/X9lG6uWd8-MMJPElWggHZRzyFKtp.QubAT_P-GEwePvB8fYmgkJzntDnaiAI&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
Step 3.
[Authentication server] awesome looks like you here have an access token and possibly a refresh token as well.
Comments:
Open id connect is basically built on top of Oauth2 the main difference is that the scope you send is openid .
You can test it here if you want for fun Oauth2 playground
Upvotes: 6
Related Questions
- Open ID Connect Flow and OAuth Grant
- How does OpenID Connect work?
- Open Identity and OAuth
- How do OpenId Connect's id token feed into a subsequent OAuth2 flow for authorizing access on another resource?
- OpenId Connect Questions -Authorization Code Flow (OAuth 2.0)
- OpenID Connect and Server Side Authorization Code Flow
- Problems understanding how OAuth 2.0 and OpenID Connect work together
- OpenID connect implicit flow response
- Trying to understand the OAuth2 flow
- OpenID Authencation Flow