Mobile applications are part of the group named Native Applications in the OpenID Connect documentation. They have very similar security properties compared to the Browser based applications but they are considered a bit easier to secure, because you often have stronger platform support for protecting data and isolation. For this flow you will get client id configured for the authorization_code flow. Classic web application that render content on the server could also use this flow.
This endpoint uses token endpoint, so there is communication between the client and the identity provider that does not go through the user’s browser.
When the user tries to access the client application, client application makes a GET request to a authorize endpoint.
As a result, user receives the login screen on our identity provider where he needs to enter his credentials.
After successful verification of the credentials, user is redirected to the predefined client redirect URL and at this point client application is capture authorization code from the URL parameter.
Authorization code cannot be used to call APIs. It is used to make a POST request to get an access token. This call does not go through the user’s browser. It is direct communication between client and identity provider.
Response of the previous call will be JSON payload with the access token that can be used to call KS Connect API.
If the GET
request in step 1 contains the scope offline_access, response in step 5 will besides the access token also include refresh token.
https://identity-server-url/connect/authorize?response_type=code&scope=user_api.full_access+offline_access&client_id=73e9cf0d-561a-11e9-9b32-000d3a46a880&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback
* this is example call without real client id
Because refresh token has much longer lifetime it can be used to obtain another access token with a POST
call to the token endpoint.
POST connect/tokenContent-Type: application/x-www-form-urlencodedAuthorization: Basic Y2xpZW50X2lkOmNsaWVudF9pZF9zZWNydGV0grant_type=refresh_token&refresh_token=a53c5843c5134c3476c9be0612f10429ec4430d56104
* this is example call without real client id