OpenID connect authorization code flow
Social authentication is deprecated and will be removed in a future release of IDM. For more information, see Deprecation. |
The OpenID Connect Authorization Code Flow specifies how IDM (Relying Party) interacts with the OpenID Provider (Social ID Provider), based on the use of the OAuth 2.0 authorization grant. The following sequence diagram illustrates successful processing from the authorization request, through grant of the authorization code, access token, ID token, and provisioning from the social identity provider to IDM.
The following list describes details of each item in the authorization flow:
-
A user navigates to the IDM End User UI, and selects the
Sign In
link for the desired social identity provider. -
IDM prepares an authorization request.
-
IDM sends the request to the Authorization Endpoint that you configured for the social identity provider, with a Client ID.
-
The social identity provider requests end user authentication and consent.
-
The end user transmits authentication and consent.
-
The social identity provider sends a redirect message, with an authorization code, to the end user’s browser. The redirect message goes to an
oauthReturn
endpoint, configured inui.context-oauth.json
in your project’sconf/
directory.When you configure a social identity provider, you’ll find the endpoint in the applicable configuration file with the following property:
redirectUri
. -
The browser transmits the redirect message, with the authorization code, to IDM.
-
IDM records the authorization code, and sends it to the social identity provider Token Endpoint.
-
The social identity provider token endpoint returns access and ID tokens.
-
IDM validates the token, and sends it to the social identity provider User Info Endpoint.
-
The social identity provider responds with information on the user’s account, that IDM can provision as a new Managed User.
You’ll configure these credentials and endpoints, in some form, for each social identity provider.