IdentityServer Flows

Question

IdentityServer supports different OpenId Connect flows that are defined in the Flows enum and set for clients. There\'s also samples for each type of flow and many references to

Answer 1

The flows defined in OAuth2 are just several ways for a client to receive an access token from an identity provider server; the IdentityServer in this case. Understanding the flows won't be easy unless you fully comprehend the entities specified in the flow diagrams such as Resource Owner, User Agent, and Resource Server. There're some brief explanations on these entities ( roles, preciously ) in here.

---

Authorization code flow : issues an authorization code prior to issuing an access token.

• A client requests an authorization code.
• IdentityServer Validates the client and asks the resource owner to grant the authorization to issue an authorization code.
• The client then requests an access token with the given authorization code
• The authorization server issues an access token directly to the client.

---

Implicit code flow : issues an access token even with no authorization code provided.

• A client requests an access token directly.
• IdentityServer skips validating the client ( in some scenarios, it partially does ) but still asks the resource owner to grant the authorization to issue an access token
• This flow never issues an authorization code.

Implicit flow is considered as the ideal flow for a client using script languages like javascript since the client doesn't have to request for an authorization code and an access token separately, in turn, reducing one network round trip for the client.

---

Client credentials flow : issues an access token without a resource owner's permission.

• A client requests an access token directly.
• IdentityServer validates the client and issues an access token right away.

This is ideal when the client is also a resource owner, so it doesn't need any authorization permissions all the way down to the access token.

---

Resource owner flow : issues an access token if a client has the resource owner's credentials ( eg. Id / Password )

• A client requests an access token directly.
• IdentityServer validates the client and checks the resource owner's identity.
• If valid, the client gets access token instantly.

This flow is ideal for the clients that you believe it is absolutely safe to share the ids and passwords with them.

---

Hybrid flow (OIDC flow) : issues an authorization code and an access token.

This is a combination of Authorization code flow and Implicit code flow. That's why it's called Hybrid.

---

Custom flow

This is literally a customizable flow. This can be used when you need a specific authentication / validation process in your business beside all the protocol specifications in OAuth2.

IdentityServer is well aware of this kind of situation and it supports extensibilities by design. The factory pattern, the decorator pattern, and IoC / DI will be making easier for you to implement additional features on your IdentityServer.