Versions Compared

Version Old Version 1 New Version Current
Changes made by

Frode Nilsen (Unlicensed)

Kristoffer Kristoffer (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space PDOIDC and version OIDC_2019_4

The below figure shows a simplified view of a hybrid message authorization code flow for OpenID Connect Provider from BankID. The following core concepts concern various parts of this message flow. 

...

The flow consists of the following steps, some of which are optional. Note that this example corresponds to an OAuth2 Hybrid OAuth2 authorization code flow. For  The other OAuth flows the message sequence will differ but are conseptually similaroauth flows (implicit and hybrid) are not supported.

  1. The end-user selects a user action at the OID Client that involves identification . 
  2. The OIDC Client requests indentification via the OIDC Provider at the authorize endpoint. The OIDC Client needs to authenticate itself in this request. A set of Scopes is also provided in this request to speciify requested Claims in the resulting ID Token and/or to request an Access Token to gain subsequent access to a Value-added Service (VAS).
  3. The OIDC Provider sends an authentication request on to the Identity Provider (IDP) in question. The default IDP user experince without any customization is used in this case.
  4. The IDP replies back to the OIDC Provider after sucessful authentication of the end-user
  5. If  the requested Scopes demand Consent Handling control is relayed on to the corresponding VAS-module in the OIDC Provider. The default Consent user experince without any customization is used in this case.
  6. The VAS-module returns control back to the OIDC Provider after Consent Handling
  7. The OIDC Provider returns an ID Token authorization code in the autorize response back to the OIDC Client containing Claims according to the requested Scopes. The ID Token is signed to preserve its integrity.
  8. The OIDC Client request an Access Token via the tokens via the OIDC Provider at the  the token endpoint, using the code provided. The OIDC Client needs to authenticate itself in this request
  9. The OIDC Provider respond with the issued tokens:
    1. an Access Token corrsponding to the requested Scopes and according to the result of Consent Handling in a preceding step.
    2. an ID Token containing Claims according to the requested Scopes. The ID Token is signed to preserve its integrity.
  10. The OIDC Client requests VAS-specific data using the Access Token to gain access
  11. The VAS-service in question requests validation of the Access Token via the OIDC Provider at the introspection endpoint
  12. The OIDC Provider responds with the result from token validation. 
  13. The VAS-service responds with the requested VAS-data if validation of the Access Token was sucessful.
  14. The OIDC Client has identified the end-user along with VAS-specific data and resumes its business logic

...