Feature Description


ProAuth is based on OpenID Connect protocol and therefore supports multiple authentication flows defined by the standard. Any OpenID Connect compliant client library could be used to authenticate your applications and services with ProAuth.

ProAuth supports the official OpenID Connect endpoints and implements the most common authentication flows described below. Because of its multi-tenancy feature set, each flow is executed in the context of a tenant. The tenant itself is represented by its ID provided in the acr_values in each request.

Primary OIDC Flows

  • Authorization Code [response_type=code]
    • Used for back-channel communication (i.e. server-side web application)
    • After successful authentication, the response contains a code value. This code can later be exchanged for an access token and an id token.
    • The middleware needs a client id and a client secret.
    • This flow supports long-lived sessions through the use of refresh tokens
  • Implicit [response_type=id_token token]
    • Used for front-channel communication (i.e. SPA, mobile app)
    • After successful authentication, the response contains an id token and an access token.
    • This flow does not support long-lived sessions
  • Hybrid [response_type=code id_token]
    • This flow combines the above two in different combinations - what is needed for the use case

Other OICD Flows

  • Client Credentials Flow
    • Used for machine-to-machine authentication
    • Instead of username and password client id and client secret are used to authenticate the backend service
    • The access token is issued in the name of the client application (i.e. API) and therefore the call is identified as from another machine (i.e. API)
  • Resource Owner Password Credentials [not recommended]
    • Highly-trusted applications can use the resource owner password flow, which requests that users provide credentials (username and password) using an interactive form.
    • Because credentials are sent to the backend it is highly recommended to only use this flow for highly trusted applications.

Response Types

Available Response Types
  • code
  • token
  • id_token
  • none
Valid combinations
  • code
  • token
  • id_token
  • id_token token
  • code id_token
  • code token
  • code id_token token
  • none

Authorization Token Flow with OpenId


Request:

Response Type response_type=code
Scopes openid

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued - -
Token Endpoint - issued issued

Token Flow:

Authorization Token Flow with OpenId

Authorization Token Flow without ID Token


Request:

Response Type response_type=code
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued - -
Token Endpoint - issued -

Token Flow:

Authorization Token Flow without ID Token

Token Response


Request:

Response Type response_type=token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint - issued -
Token Endpoint - - -

Token Flow:

Token Response

IDToken Response


Request:

Response Type response_type=id_token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint - - issued
Token Endpoint - - -

Token Flow:

IDToken Response

Implicit Flow


Request:

Response Type response_type=id_token token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint - issued issued
Token Endpoint - - -

Token Flow:

Implicit Flow

Hybrid Flow


Request:

Response Type response_type=code id_token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued - issued
Token Endpoint - issued issued

Token Flow:

Hybrid Flow

Code and Token Response with OpenID


Request:

Response Type response_type=code token
Scopes openid

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued issued -
Token Endpoint - issued issued

Token Flow:

Code and Token Response with OpenID

Code and Token Response without OpenID


Request:

Response Type response_type=code token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued issued -
Token Endpoint - issued -

Token Flow:

Code and Token Response without OpenID

Code, Token and IDToken Response


Request:

Response Type response_type=code id_token token
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint issued issued issued
Token Endpoint - issued issued

Token Flow:

Code, Token and IDToken Response

None Response


Request:

Response Type response_type=none
Scopes  

Issued Tokens:

Endpoint Authorization Code Access Token ID Token
Authorization Endpoint - - -
Token Endpoint - - -

Token Flow:

None Response

Refresh Token Response


Request:

Response Type response_type=code
Scopes openid offline_access

Issued Tokens:

Endpoint Authorization Code Access Token ID Token **Refresh Token
Authorization Endpoint issued - - issued
Token Endpoint - issued issued issued

Token Flow:

Refresh Token Response

Key Features


  • OpenID Connect Flows
  • OpenID Connect Endpoints

Contact


Did we raise your attention or do you have any questions? Contact us today at:

  • +41 44 508 37 00
  • proauth@4tecture.ch