Thursday, May 10, 2012

Over simplified graphical representation of OpenID Connect

The OAuth 2.0 authz code grant type defines how to use the browser to get an access token (blue) from the AS to the Client. The OAuth bearer spec defines how to then use that token on API calls to arbitrary endpoints.

OpenID Connect layers new pieces on top - the new ID_token and the UserInfo endpoint (both in orange). As before, the client (normally) leverages the browser as the means to obtain tokens. 

The Client consumes the ID_token and creates a session based on it. The Client uses the access token to call both the UserInfo and other API endpoints.

No comments: