Authorization code flow
We use the OAuth Authorization Code flow (see the picture below) to authenticate users with Onegini IDP. This means that the login process consists of two steps:
- Obtaining an authorization code a.k.a access grant
- Exchanging the authorization code for the access token
As a guideline to understand what is happening in the flow we use the following image. The image depicts the login flow from the OAuth 2.0 specification:
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+
The Resource Owner is the end-user who wants to authenticate using Onegini IDP. The User-Agent is the browser of the end-user. The Client is the application you are integrating OAuth into. The Authorization Server is Onegini IDP.
Onegini provides an SDK to implement this flow in a Java application.