- About User Self-Service
- Configure User Self-Registration
- Configure the User Self-Registration Form
- Configuring Emails for Self-Service Registration
- Configure User Preferences
- Configure Multiple User Self-Registration Flows
- Example Self-Registration REST Requests
- Social Registration
- OpenID Connect Authorization Code Flow
- Many Social Identity Providers, One Schema
- Amazon Social Identity Provider
- Apple Social Identity Provider
- Facebook Social Identity Provider
- Google Social Identity Provider
- Instagram Social Identity Provider
- LinkedIn Social Identity Provider
- Microsoft Social Identity Provider
- Salesforce Social Identity Provider
- Twitter Social Identity Provider
- Setting Up Vkontakte as an IDM Social Identity Provider
- WeChat Social Identity Provider
- WordPress Social Identity Provider
- Yahoo Social Identity Provider
- Custom Social Identity Provider
- Configure the Social Providers Authentication Module
- Account Claiming: Links Between Accounts and Social Identity Providers
- Manage Social Identity Providers Over REST
- Test Social Identity Providers
- Scenarios When Registering With a Social ID
- Social Identity Widgets
- Social Identity Provider Button and Badge Properties
- Progressive Profile
- Configure a Progressive Profile Completion Form
- Progressive Profile Completion and Metadata
- REST Requests in a Progressive Profile Completion Process
- Password Reset
- Username Retrieval
- Additional Configuration
- Configure Notification Emails
- Configure Privacy and Consent
- Configure UMA, Trusted Devices, and Privacy
- Terms & Conditions
- Tokens and User Self-Service
- End User UI Notifications
- Configure Google reCAPTCHA
- Configure Identity Fields
- Configure Security Questions
- Add Custom Policies for Self-Registration and Password Reset
- Self-Service End User UI
- Custom Self-Service Stages
- Self-Service Stage Reference
- All-In-One Registration
- OpenAM Auto-Login Stage
- Attribute Collection Stage
- Captcha Stage
- Conditional User Stage
- Consent Stage
- Email Validation Stage
- IDM User Details Stage
- KBA Security Answer Definition Stage
- KBA Security Answer Verification Stage
- KBA Update Stage
- Local Auto-Login Stage
- Parameters Stage
- Patch Object Stage
- Password Reset Stage
- Self-Registration Stage
- Social User Claim Stage
- Terms and Conditions Stage
- User Query Stage
- IDM Glossary
OpenID Connect Authorization Code Flow
The OpenID Connect Authorization Code Flow specifies how IDM (Relying Party) interacts with the OpenID Provider (Social ID Provider), based on the use of the OAuth 2.0 authorization grant. The following sequence diagram illustrates successful processing from the authorization request, through grant of the authorization code, access token, ID token, and provisioning from the social identity provider to IDM.
The following list describes details of each item in the authorization flow:
A user navigates to the IDM End User UI, and selects the
Sign Inlink for the desired social identity provider.
IDM prepares an authorization request.
IDM sends the request to the Authorization Endpoint that you configured for the social identity provider, with a Client ID.
The social identity provider requests end user authentication and consent.
The end user transmits authentication and consent.
The social identity provider sends a redirect message, with an authorization code, to the end user's browser. The redirect message goes to an
oauthReturnendpoint, configured in
ui.context-oauth.jsonin your project's
When you configure a social identity provider, you'll find the endpoint in the applicable configuration file with the following property:
The browser transmits the redirect message, with the authorization code, to IDM.
IDM records the authorization code, and sends it to the social identity provider Token Endpoint.
The social identity provider token endpoint returns access and ID tokens.
IDM validates the token, and sends it to the social identity provider User Info Endpoint.
The social identity provider responds with information on the user's account, that IDM can provision as a new Managed User.
You'll configure these credentials and endpoints, in some form, for each social identity provider.