PingIDM 7.5.0

OpenID connect authorization code flow

Social authentication is deprecated and will be removed in a future release of IDM. For more information, refer to Deprecation.

The OpenID Connect Authorization Code Flow specifies how IDM (Relying Party) interacts with the OpenID Provider (Social ID Provider), based on the use of the OAuth 2.0 authorization grant. The following sequence diagram illustrates successful processing from the authorization request, through grant of the authorization code, access token, ID token, and provisioning from the social identity provider to IDM.

IDM supports OpenID Connect for Social Identity Providers
Figure 1. IDM supports OpenID Connect for Social Identity Providers

The following list describes details of each item in the authorization flow:

  1. A user navigates to the IDM End User UI, and selects the Sign In link for the desired social identity provider.

  2. IDM prepares an authorization request.

  3. IDM sends the request to the Authorization Endpoint that you configured for the social identity provider, with a Client ID.

  4. The social identity provider requests end user authentication and consent.

  5. The end user transmits authentication and consent.

  6. The social identity provider sends a redirect message, with an authorization code, to the end user’s browser. The redirect message goes to an oauthReturn endpoint, configured in ui.context-oauth.json in your project’s conf/ directory.

    When you configure a social identity provider, you’ll find the endpoint in the applicable configuration file with the following property: redirectUri.

  7. The browser transmits the redirect message, with the authorization code, to IDM.

  8. IDM records the authorization code, and sends it to the social identity provider Token Endpoint.

  9. The social identity provider token endpoint returns access and ID tokens.

  10. IDM validates the token, and sends it to the social identity provider User Info Endpoint.

  11. The social identity provider responds with information on the user’s account, that IDM can provision as a new Managed User.

You’ll configure these credentials and endpoints, in some form, for each social identity provider.