Appendix A - Grant Type FLows and Endpoints Mapping
Status
Ready for review
Grant Type and Endpoint Mapping for OAuth 2
This table is to map the different OAUth 2 flows to the direct end point and provides an indication of complexity and similarity/differences between each of the OAuth 2 flows.
| End Points | **Authorisation Code Flow | Implicit Flow | Resource Owner Password Credential Flow | Client Credential Flow |
|---|---|---|---|---|
| Authentication End Point TO OAuth 2 server | GET /authorize? response_type= code &scope= &client_id=healthabc &state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize?response_type=token &scope= &client_id=healthabc state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 | N/A YELLOW AUTHN END POINT NOT USED | N/A YELLOW AUTHN END POINT NOT USED |
| Redirect URL To Client | HTTP/1.1 302 Found Location:https:// Code=SpixdfghgeQQrkskfHiL75T &state=a4e0761eK8c21 | HTTP/1.1 302 Found Location:https:// Access_token=a4e0761eK8c24 &token_type=bearer &state=a4e0761eK8c21 | N/A YELLOW AUTHN END POINT NOT USED | N/A YELLOW AUTHN END POINT NOT USED |
| Token Endpoint To OAuth 2 Server | POST /token HTTP/1.1 Host: s1.health.govt.nz Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=authorization_code &code=SpixdfghgeQQrkskfHiL75T | N/A YELLOW TOKEN RETURNED FROM AUTHN ENDPOINT CALL | POST /token HTTP/1.1 Host: s1.health.govt.nz Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=Password &username=user1 &password=wef8&967 | POST /token HTTP/1.1 Host: s1.health.govt.nz Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=client_credentials |
| Response to Client | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “SFRuiJhfeUnb", “token_type”: “Bearer”, “refresh_token”: “JkiOlpvbErW”, “expires_in”: 3600 } | N/A YELLOW TOKEN RETURNED FROM AUTHN ENDPOINT CALL | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “SFRuiJhfeUnb", “token_type”: “Bearer”, “refresh_token”: “JkiOlpvbErW”, “expires_in”: 3600 } | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “SFRuiJhfeUnb", “token_type”: “Bearer”, “refresh_token”: “JkiOlpvbErW”, “expires_in”: 3600 } |
| Resource Server from Client | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server. | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server. |
| Response from Resource Server To Client | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } |
Refresh Token Flow
| End Points | **Authorisation Code Flow | Implicit Flow | Resource Owner Password Credential Flow | Client Credential Flow |
|---|---|---|---|---|
| Refresh Token From Client To Token Endpoint | POST /token HTTP/1.1 Host: Server name Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=refresh_token &refresh_token=JkiOlpvbErW | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | POST /token HTTP/1.1 Host: Server name Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=refresh_token &refresh_token=JkiOlpvbErW | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW |
| Response To Client | HTTP/1.1 200 OK Content-Type:application/json { "Access_token”: “JHuytGdfKm", “token_type”: “Bearer”, “refresh_token”: "JHuytGdfKm”, “expires_in”: 3600 } | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “JHuytGdfKm", “token_type”: “Bearer”, “refresh_token”: “JHuytGdfKm”, “expires_in”: 3600 } | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW |
Open ID Connect Implicit and Hybrid
OpenID Connect can work with all the existing OAuth 2.0 grant types, but the Resource Owner password credential flow and the Client Credential Flow are not normally run as a OpeinID COnnect flow.
OpenID Connect has the following Key flows:
-
Authorisation Code Grant Flow
-
Implicit flow - id_token token.
-
Implicit flow - id_token
-
Hybrid Flow - code id_token token
-
Hybrid Flow - code id_token
-
Hybrid Flow - code token
| End Points | Authorisation Code Flow | Implicit Flow id_token token | Implicit Flow id_token | Hybrid code id_token token | Hybrid code id_token | Hybrid code token |
|---|---|---|---|---|---|---|
| Authentication End Point TO OAuth 2 server | GET /authorize? response_type= code &scope=openid &client_id=healthabc &state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize? response_type= id_token token &scope=openid &client_id=healthabc &state=a4e0761eK8c21 &nonce=gfTU879F4 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize? response_type= id_token &scope=openid &client_id=healthabc &state=a4e0761eK8c21 &nonce=gfTU879F4 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize? response_type= code id_token token &scope=openid profile email &client_id=healthabc &state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize? response_type= code id_token &scope=openid &client_id=healthabc &state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 | GET /authorize? response_type= code token &scope=openid &client_id=healthabc &state=a4e0761eK8c21 &redirect_uri=https%3A%2f%2F HTTP/1.1 |
| Redirect URL To Client | HTTP/1.1 302 Found Location:https:// Code=SpixdfghgeQQrkskfHiL75T &state=a4e0761eK8c21 | HTTP/1.1 302 Found Location:https:// Access_token=a4e0761eK8c24 &token_type=bearer &state=a4e0761eK8c21 &"id_token": "eyJ...." | HTTP/1.1 302 Found Location:https:// &state=a4e0761eK8c21 &"id_token": "eyJ...." | HTTP/1.1 302 Found Location:https:// Code=SpixdfghgeQQrkskfHiL75T Access_token=a4e0761eK8c24 &token_type=bearer &state=a4e0761eK8c21 &"id_token": "eyJ...." | HTTP/1.1 302 Found Location:https:// Code=SpixdfghgeQQrkskfHiL75T &state=a4e0761eK8c21 &"id_token": "eyJ...." | HTTP/1.1 302 Found Location:https:// Code=SpixdfghgeQQrkskfHiL75T Access_token=a4e0761eK8c24 &token_type=bearer &state=a4e0761eK8c21 |
| Token Endpoint To OAuth 2 Server | POST /token HTTP/1.1 Host: s1.health.govt.nz Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=authorization_code &code=SpixdfghgeQQrkskfHiL75T | N/A YELLOW TOKEN RETURNED FROM AUTHN ENDPOINT CALL | N/A YELLOW NO TOKEN RETURNED FROM AUTHN ENDPOINT CALL | POST /token HTTP/1.1 Host: s1.health.govt.nz Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=authorization_code &code=SpixdfghgeQQrkskfHiL75T | ||
| Response to Client | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “SFRuiJhfeUnb", “token_type”: “Bearer”, “refresh_token”: “JkiOlpvbErW”, “expires_in”: 3600, "id_token": "eyJ..." } | N/A YELLOW TOKEN RETURNED FROM AUTHN ENDPOINT CALL | N/A YELLOW NO TOKEN RETURNED FROM AUTHN ENDPOINT CALL | HTTP/1.1 200 OK Content-Type:application/json{ "Access_token”: “SFRuiJhfeUnb", “token_type”: “Bearer”, “refresh_token”: “JkiOlpvbErW”, “expires_in”: 3600, "id_token": "eyJ..." } | ||
| Resource Server from Client | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server | N/A YELLOW NO TOKEN RETURNED FROM AUTHN ENDPOINT CALL | GET /api Authorization: Bearer SFRuiJhfeUnb Host: server | ||
| Response from Resource Server To Client | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } | N/A YELLOW NO TOKEN RETURNED FROM AUTHN ENDPOINT CALL | HTTP/1.1 200OK Content-Type: application/json { “info” "details" } |
Refresh Token OpenID Connect
| End Points | Authorisation Code Flow | Implicit Flow id_token token | Implicit Flow id_token | Hybrid code id_token token | Hybrid code id_token | Hybrid code token |
|---|---|---|---|---|---|---|
| Refresh Token From Client To Token Endpoint | POST /token HTTP/1.1 Host: Server name Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=refresh_token &refresh_token=JkiOlpvbErW | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | POST /token HTTP/1.1 Host: Server name Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Msdasdasd Grant_type=refresh_token &refresh_token=JkiOlpvbErW | ||
| Response To Client | HTTP/1.1 200 OK Content-Type:application/json { "Access_token”: “JHuytGdfKm", “token_type”: “Bearer”, “refresh_token”: "JHuytGdfKm”, “expires_in”: 3600 } | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | N/A YELLOW NO REFRESH TOKEN IN THIS FLOW | HTTP/1.1 200 OK Content-Type:application/json { "Access_token”: “JHuytGdfKm", “token_type”: “Bearer”, “refresh_token”: "JHuytGdfKm”, “expires_in”: 3600 } |