What OpenID Connect flow is right for me?
-
08-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Here's the deal. I have a .NET MVC5 web application that I'm moving up to the OpenID Connect standard.
I also would like to be able to access controller methods from a mobile app (much like an API) to send and receive JSON data.
If I understand it correctly, the Implicit Flow has clients retrieving an id_token from the OpenID provider for the sake of authentication. In the case of a mobile app, if I retrieve an id_token for a client_id that matches the client_id of my web application, I should be able to use it to authenticate the app with my web back-end, right?
And an Authorization Code Flow gives me an access token, which allows me to retrieve refresh tokens so I retain authorization for longer periods of time. Does this authorization then automatically apply to my web back end, or must I also ping my web site in order for it to assign me an authorization code it retrieves from, say, Google?
Lastly, there's a Hybrid Flow that combines the two, giving an id_token for authentication, an access token that can be used immediately to access my web application resources, and an offline_access code that allows the web application to get refresh tokens on the user's behalf even when they're not using the application.
Am I thinking about this all wrong? Is my method of authenticating with my web application from my native Android client really not an OpenID Connect problem at all? What would any of you use in this situation?
Solution
As it turns out, it's sort of a combination of the Authorization flow and the Implicit flow. The Implicit flow is for client-based applications, and the authorization flow allows for server-to-server access, I think.
What ended up being the right answer is retrieving an access_code from Google, with a specific audience specified. The audience is the client_id of my web application. The access_code is then given to the web application to authenticate my client (be it browser or mobile app). The web application exchanges the access_code for an id_token and a refresh_token using the Google token endpoint. Then these tokens are verified and used to authenticate subsequent requests.
From there the user identity is authenticated, and it's up to me how I'd like to handle that - be it token-based authentication for the native mobile app or cookie authentication for the browser.
