ProAuth is based on OpenID Connect protocol and therefore supports multiple authentication flows defined by the standard. Any OpenID Connect compliant client library could be used to authenticate your applications and services with ProAuth.
ProAuth supports the official OpenID Connect endpoints and implements the most common authentication flows described below. Because of its multi-tenancy feature set, each flow is executed in the context of a tenant. The tenant itself is represented by its ID provided in the acr_values in each request.
Primary OIDC Flows
- Authorization Code [response_type=code]
- Used for back-channel communication (i.e. server-side web application)
- After successful authentication, the response contains a code value. This code can later be exchanged for an access token and an id token.
- The middleware needs a client id and a client secret.
- This flow supports long-lived sessions through the use of refresh tokens
- Implicit [response_type=id_token token]
- Used for front-channel communication (i.e. SPA, mobile app)
- After successful authentication, the response contains an id token and an access token.
- This flow does not support long-lived sessions
- Hybrid [response_type=code id_token]
- This flow combines the above two in different combinations - what is needed for the use case
Other OICD Flows
- Client Credentials Flow
- Used for machine-to-machine authentication
- Instead of username and password client id and client secret are used to authenticate the backend service
- The access token is issued in the name of the client application (i.e. API) and therefore the call is identified as from another machine (i.e. API)
- Resource Owner Password Credentials [not recommended]
- Highly-trusted applications can use the resource owner password flow, which requests that users provide credentials (username and password) using an interactive form.
- Because credentials are sent to the backend it is highly recommended to only use this flow for highly trusted applications.
Available Response Types
- id_token token
- code id_token
- code token
- code id_token token