Quels acteurs ?
Quels jetons ?
Client
Authorization server
Resource server
Resource owner
Request client authorization
Authorize the client
Redirect with authorization code
Request access token using the code and credentials
Return access token / refresh token
Request protected resource using access token
Proof Key for Code Exchange
"PIXI"
Client
Authorization server
Resource server
Resource owner
Request client authorization
Authorize the client
Redirect with authorization code
Request access token using the auth code
Return access token / refresh token
Request protected resource using access token
Generate code, hash it and send with authorization request
Receive the code and save it
Send the code (not hashed)
Hash the code received and compare to the saved hashed code
... de terminologie
| OAuth2.0 | OpenID Connect | 
|---|---|
| Client | Relying Party | 
| Authorization Server | Identity Provider | 
... de grant flow
Mais pas tant que ça !
... de jeton
id_token
JWT
JWS
JWE
{ "typ": "JWT", "alg": "HS256" } { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1602791273, "iat": 1602791273, "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe" }
+ signature
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlcnZlci5leGFtcGxlLmNvbSIsImlhdCI6MTYwMjc5MTI3MywiZXhwIjoxNjM0MzI3MjczLCJhdWQiOiJzNkJoZFJrcXQzIiwic3ViIjoiMjQ0MDAzMjAiLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsIm5hbWUiOiJhbmUgRG9lIiwiZ2l2ZW5fbmFtZSI6IkphbmUiLCJmYW1pbHlfbmFtZSI6IkRvZSJ9.YMHmas3dqMLhwD9WIymIrcwnAjgyU309Aak7n1BlUb0
Karim PINCHON - @kpn13