Skip to content

Authorization Code Flow

tl;dr

  1. Start the client with a config.yaml: 
    oidc-client client --config config.yaml
  2. Copy the url (default: http://127.0.0.1:5556/login) in a web browser. This will redirect to the configured Authorization Server 
    [INFO]  oidc-client: Go to http://127.0.0.1:5556/login
  3. Authenticate to the Authorization Server
  4. You can view the output in the terminal window: 
    [INFO]  oidc-client: Access Token Response:
  Response=
  | {
  |     "access_token": "",
  |     "refresh_token": "",
  |     "scope": "openid profile ",
  |     "id_token": "",
  |     "token_type": "Bearer",
  |     "nonce": "-",
  |     "expires_in_human_readable": ""
  | }

[INFO]  oidc-client: IDToken Claims:
  IDTokenClaims=
  | {
  | }

[INFO]  oidc-client: Userinfo Claims:
  UserInfoClaims=
  | {
  | }

[INFO]  oidc-client: Stopping server

How it works?

The CLI will parse the config file (--config) and fetch the Issuer .well-known/openid-configuration. After some basic validation, it will start a local http server (port can be changed with --port) which hosts:

  • a login page (default: http://127.0.0.1:5556/login)
  • a callback page (the redirect_uri, default: http://127.0.0.1:5556/auth/callback).

Navigating to the login page will

  1. Generate a randoim nonce and state, and set those values as cookies
  2. initiate the Authorization Code flow by redirecting to the Authorization Server's authorize_endpoint. After successful authentication on the Authorization Server, the Authorization Server will redirect back to the redirect_uri with the authorization_code (and other parameters).

On the callback page (redirect_uri), the client will

  1. validate the state cookie matches the state parameter returned on the callback page
  2. attempt to exchange the authorization_code for an Access Token, and optionally a Refresh Token and ID Token
  3. if an ID Token is returned, the client will
    1. validate the token signature against the jwk_uri of the Authorization Server
    2. validate that the nonce cookie matches the nonce field inside the ID Token
    3. if amr_list is configured, validate that at least one of the amr from the ID Token is present in the amr_list
  4. Use the Access Token to retreived user profile information from the userinfo endpoint of the Authorization Server

CLI Usage

oidc-client help client

Starts the oidc client

Usage:
  oidc-client client [flags]

Flags:
  -c, --config string   oidc client config file
  -h, --help            help for client
  -p, --port int        oidc client call back port (default 5556)

Global Flags:
  -d, --debug           debug mode enabled
      --no-color        disable color output
      --skip-userinfo   Skip fetching Userinfo