OpenID Connect core specification [1] describe about core functionalities such as authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User.
OpenID Connect core specification mainly focus for two main OAuth 2.0 grant types namely Authorization code grant type and Implicit grant type [2][3]. Up to Identity Server 5.0.0 only Authorization code grant type had OpenID Connect support but Implicit grant type hadn’t. With Identity Server 5.1.0 release OpenID Connect support added to Implicit grant type too. In other words Implicit grant type capable of returning ID Token. More Information about ID Token can find from here [4].
Basically implicit grant type support three different response types.
- token
- id_token
- id_token token
Please refer below sample requests and responses to see how each response type works.
- response_type=token
request
response
http://mycallbackurl#access_token=bb2157fce1266331c7802a8a1f6a33e1&token_type=Bearer&expires_in=3600
- response_type=id_token
request
https://localhost:9443/oauth2/authorize?response_type=id_token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://mycallbackurl&nonce=abc&scope=openid
response
http://mycallbackurl#id_token=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhdWQiOlsiTmdUSUNYRlBZbnQ3RVRVbTZGYzhOTVU4SzM4YSJdLCJhenAiOiJOZ1RJQ1hGUFludDdFVFVtNkZjOE5NVThLMzhhIiwiYXV0aF90aW1lIjoxNDUyOTY5MDQ1LCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE0NTI5NzMwMDQsIm5vbmNlIjoiYWJjIiwiaWF0IjoxNDUyOTY5NDA0fQ.BVH6ZeWhz4Hqji3YD1mdjMK-qxGwDDAndRzPqitOtZ0IhyXS8aeUrMWlMnazTJjilC1Dd_j6JjRh1hi1ee090KMEZnJ5Oung1Cw-vNGLDKtVzGwKVqRe9HbW9FkSrhXW5JOuR4sl-WQjr_3Ab0KVkgsammf0nDVEse_wSFrh5jA
Please note nonce value is mandatory parameter here and if didn’t provide scope=openid you won’t get Id Token.
Base64 decoded value of Id Token
{"sub":"admin@carbon.super","aud":["NgTICXFPYnt7ETUm6Fc8NMU8K38a"],"azp":"NgTICXFPYnt7ETUm6Fc8NMU8K38a","auth_time":1452969045,"iss":"https:\/\/localhost:9443\/oauth2\/token","exp":1452973004,"nonce":"abc","iat":1452969404}
Id Token does not contain at_hash value since no access token is generated (access token is required to calculate at_hash value)
- response_type=id_token token
request
response
Please note nonce value is mandatory parameter here and if didn’t provide scope=openid you won’t get Id Token.
{"at_hash":"dO0wWNbHEdVOewSHlVFzfw","sub":"admin@carbon.super","aud":["NgTICXFPYnt7ETUm6Fc8NMU8K38a"],"azp":"NgTICXFPYnt7ETUm6Fc8NMU8K38a","auth_time":1452970406,"iss":"https:\/\/localhost:9443\/oauth2\/token","exp":1452974006,"nonce":"abc","iat":1452970406}
Id Token contains at_hash value since access token is generated.
[2] http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
[4] http://openid.net/specs/openid-connect-core-1_0.html#IDToken
