...
The full specification for OIDC is available on the OpenID Foundation’s website at OpenID Connect Core 1.0 specification.
End-user authentication
The authentication flow of OIDC is most easily compared to logging in with a
Google or Facebook account. The end-user is redirect to a page of a trusted party and is then
asked to provide credentials and will possibly see a consent screen to allow sharing of
personal data with the calling party. It is to the end-user to either disclose the data or not.
OIDC will work in the same manner.
...
Urgent |
---|
For security purposes, the authentication information as supplied by PKIsigning will differ between production and staging environments. Please do not store PKIsigning credentials in config files in clear text in config files. |
Fetch the OpenID configuration document
...
Codeblok |
---|
GET https://identity.pkisigning.io/connect/authorize? client_id=6731de76-14a6-49ae-97bc-6eba6914391e &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &scope=openid%20pkisigning.platform &state=12345 &nonce=678910 |
Tip |
---|
The nature of OIDC is to use credentials only at the authentication page of the supplier of these credentials. Therefore it is not possible to send credentials directly from any third party application. The authentication page has to be shown to the end-user. |
Informatie |
---|
The use of the PKIsigning authentication page in an iframe has been explicitly blocked to prevent clickjacking and overlay attacks. |
After being authenticated on our identity server, the user will be redirected back to an url of
the application. In the query string a code parameter will be specified, which is required to obtain an accesstoken.
...
After the user has been redirect back to the application, use the code specified in the query string to obtain an access token. The values in the request should match the values being sent earlier to redirect the user to the PKIsigning authentication page.
...
Codeblok | ||
---|---|---|
| ||
// Line breaks for readability only POST /connect/token HTTP/1.1 Host: https://identity.pkisigning.io Content-Type: application/x-www-form-urlencoded client_id=6731de76-14a6-49ae-97bc-6eba6914391e &scope=openid%20pkisigning.platform &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr... &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=authorization_code &client_secret=JqQX2PNo9bpM0uEihUPzyrh // NOTE: This secret needs to be URL-Encoded. |
...
Error Code | Description | Client Action |
---|---|---|
| Protocol error, such as a missing required parameter. | Fix the request or app registration and resubmit the request. |
| The authorization code or PKCE code verifier is invalid or has expired. | Try a new request to the |
| The authenticated client isn't authorized to use this authorization grant type. | This error usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD. |
| Client authentication failed. | The client credentials aren't valid. To fix, the application administrator updates the credentials. |
| The authorization server doesn't support the authorization grant type. | Change the grant type in the request. This type of error should occur only during development and be detected during initial testing. |
| Non-standard, as the OIDC specification calls for this code only on the | Retry the |
| The server is temporarily too busy to handle the request. | Retry the request after a small delay. The client application might explain to the user that its response is delayed because of a temporary condition. |
| The request requires user consent. This error is non-standard. It's usually only returned on the | The client should send the user back to the |
| The scope requested by the app is invalid. | Update the value of the |
Waarschuwinginfo |
---|
For security reasons it is not possible to send a request for obtaining an access token from a browser. This would require having the client secret available in an untrusted environment. Attempts to try this in a webbrowser will be blocked with Webbrowsers will block these requests because of CORS policy violation errors. |
...