A client (aka relying party or RP) is a piece of software that requests tokens from IdentityServer - either for authenticating a user (requesting an identity token) or for accessing a resource (requesting an access token). A client must be first registered with IdentityServer before it can request tokens.
Examples for clients are web applications, native mobile or desktop applications, SPAs, server processes etc.
Registration requirements vary depending on the type of client before being able to request tokens.
Current typical configuration requirements for settings within the OP for a:
Client for Server to Server Communication
- A unique
client_id - A
secret(obtain from CRMLS admin). - Client credentials grant/flow type
- The scopes (aka resources) client requires access to (arrange with CRMLS admin).
Legacy Client with End User(s)
- A unique
client_id - A
secret(obtain from CRMLS admin). - Resource owner password credential grant/flow type
- The scopes (arrange with CRMLS admin).
Browser-based Client (e.g., SPA)
- A unique
client_id - Implicit grant/flow type
- A callback/redirect URI (
redirect_uri) or list of URIs. - The scopes (arrange with CRMLS admin).
- Optional post logout URI(s).
Implicit flow is the recommended flow for client applications that involve end users.
Implicit Flow properties
- All tokens returned from authorization endpoint (no need for token endpoint)
- Tokens revealed to User Agent
- Communication in one round trip
Example client side settings (javascript - CRMLS OP client registered with implicit grant type)
function getClientSettings(): UserManagerSettings {
return {
authority: 'https://soc.crmls.org/',
client_id: 'js_oidc',
redirect_uri: 'http://sample.client.com/auth-callback',
post_logout_redirect_uri: 'http://sample.client.com/',
response_type: "id_token token",
acr_values: "idp:Saml2",
scope: "openid profile CrmlsProfile webapi",
filterProtocolClaims: true,
checkSessionInterval: 2000,
// automaticSilentRenew: true,
loadUserInfo: true
};
}
Basic Client Workflow (Implicit Flow)
The sequence below depicts a simple, 'happy path' scenario for an end user accessing CRMLS ODataApi (including logging in).
Walk through of the sequence:
- User opens a web browser and goes to a protected page on “Client App” (or Third Party Web App).
- No previous session metadata exists and therefore user’s browser is redirected to a ‘Login page’.
- The browser requests for Login page (NB: skipped showing receipt of Login page) – And user provides login credentials and submits.
- CRMLS OP processes the login and responds with success, a redirect to the requested page, and relevant tokens (i.e., id_token and access_token) along with scope and claims belonging to the logged in user for the application – “Client App”.
- The browser requests for the protected page.
- Browser receives the protected page.
- Browser now requests a protected resource (e.g., due to ajax call from protected page) with reference token (access_token) and session state metadata.
- “ODataApi” checks session (and cache) then reaches to CRMLS OP to validate reference token.
- Validation is successful, and response includes user identity and resource attributes that are configured for “ODataApi” to receive.
- “ODataApi” stores/caches validated reference token (life span of cache * ~ 60 minutes - adjustable).
- Browser receives results from requested (ODataApi) resource.
* Clients are responsible to check sessions and/or tokens that are stale and redirect appropriately based on the application: e.g., back to the Login URL or similar.