Home

Welcome to the OpenID-with-iOS wiki!

• OAuth2(Open Authorization) is protocol for token-based authorization

• OIDC(Open ID Connect) is protocol built on top of OAuth2

---

OAuth2:

Main components:

• Access-token
• Authorization server
• Resource server
• Scopes
• Flows

Authorization server:

The main engine of OAuth which grant:

• access-token: using /oauth2/oauthorize endpoint
• authorization-code: using /oauth2/token endpoint by pass access-token to it

Resource server:

It host APIs, these APIs will require access-token

Scopes:

It's like a permission grant to clients to allow them access certain resources and prevent them from others. So, if a client has READ scope, and it tries to call an API endpoint that requires WRITE access, the call will fail.

Flows:

• Implicit Flow(2 Legged OAuth):

1. Communication to get access-token is done using browser. So, access-token returned from browser to the app directly(front-channel)
2. No refresh token required , because access-token in this flow permanent.

• Authorization Code(3 Legged OAuth):

1. Communication to get access-token is done in tow steps.
   • The browser return authorization-code to the app (front-channel).
   • The app then will connect with auth server and exchange authorization-code with access-token (back-channel).
2. Refresh token optionally.
3. It's more secure ,because access-token not passed through browser , but app request it directly.

• Resource Owner Password:

1. It's direct authentication between app and authorization server.
2. The app send username/password to authorization server then authorization server return access-token to the app.
3. This flow used when app and resource Owner is a same , like Facebook app.
4. No refresh token required.

• Client Credential:

1. server-to-server scenarios