This is an old revision of the document!
OAuth
Capturing the request
| Column | Type | Obtained from | Description |
|---|---|---|---|
| id | UUID | Generated | ID to keep track of the request |
| secret | str | Generated | Secret stored in a flow cookie |
| session_id | Optional FK | Logged in session | Associated login session |
| client_id | FK | Query string | The OAuth client sending this request |
| response_type | str | Query string | OAuth response type. e.g. Authorization Code, ID token etc. |
| scope | str | Query string | The requested scope. Usually contains openid as a minimum |
| state | str | Query string | Client specific state |
| nonce | str | Query string | Passed through to the ID token |
| redirect_uri | str | Query string | Where to redirect after authenticating |
| acr_values | str | Query string | Requested authentication level |
| code_challenge | str | Query string | PKCE challenge |
| code_challenge_method | str | Query string | PKCE method |
Generating the response
The response is dependent on the response_type field. This is a space separated set with various options:
code: a code to be submitted to the Token endpoint to obtain other information.token: an access token.id_token: an OpenID ID token.
The response_mode is determined implicitly based on the response_type. This can take the following values:
query: the response is returned in the query string.fragment: the response is returned in the URL fragment (stuff after the#symbol).
The query mode is used when only the code is being requested, otherwise the URL fragment is used. Most of the time clients will only be requesting a code.
The authorization code
This is a short lived code that can be submitted to the Authorization endpoint in exchange for ID and access tokens. The code_challenge may also be used at this point using the PKCE standard
The ID token
The ID token shall be returned if the openid scope was requested. These are the claims we plan to support:
| Claim | Required | Description | Obtained from |
|---|---|---|---|
| iss | REQUIRED | Issuer identtifier. | Portal base URL. |
| sub | REQUIRED | Subject identifier. | User from the session_id. |
| aud | REQUIRED | Audience(s) the ID token is intended for. | client_id. |
| exp | REQUIRED | Token expiration time. | Per-client configuration. |
| iat | REQUIRED | When the token was issued. | Current time when the token is generated. |
| auth_time | OPTIONAL (unless requested through max_age query parameter) | Time when end user authentication occured. | Most recent timestamp in the session's last_xx_auth fields. |
| nonce | OPTIONAL unless present in request | String value to associate client session with ID token and to mitigate replay attacks. | Request nonce. |
| acr | OPTIONAL unless requested by acr_values | Authentication context class (how “strong” the authentication was). | Session authentication level. |
| amr | OPTIONAL | Authentication methods. | Session authentication methods based on last_xx_auth fields. May be filtered based on max_age if present. |
Note that only azp is missing from the OpenID core spec as we don't plan to use any extensions to the spec.