The OIDC authentication flow can be described as follows:
Posted: Wed Jan 22, 2025 8:57 am
The user accesses the service provider (RP) URL and selects the OpenID to use.
RP provides Client ID to identity provider (OP)
RP points the browser to the SSO URL and provides the Client ID.
The browser redirects to the SSO URL with the Client ID.
OP reads the authorization code and requests user authentication
OP brings up the login page
The browser engine enters the credentials into the OP
OP brings up the user consent page and authenticates then asks for consent
The browser engine gives consent
OP gives authorization code to browser engine
The browser engine provides an list of 1000 cell phone numbers authorization code to the RP.
RP provides authorization code to OP to get ID token and validate user.
OP submits authorization code to request tokens for ID, access, and refresh.
RP provides login access.
b. How to choose an OpenID identity provider for your mobile app development?
Since OpenID is accessible to anyone, you can choose from several popular identity providers, such as Google, Facebook, and Microsoft, as needed. This is different if you need SSO to be authenticated in a group of applications that you develop. For example, service provider A has groups of service applications B and C that have different user databases and authorization functions. Here, A acts as an identity provider for B and C.
If you experience such cases, you can integrate your application with a third-party identity provider. Most identity providers already support the use of SAML and OpenID together.
In short, OpenID modernizes SAML, which already exists and is used by most applications. However, enterprise identity providers generally already support both standards.
Kerberos
Kerberos, derived from Cerberus, the three-headed dog that guards the gates to Hades, is an authentication protocol developed by the Massachusetts Institute of Technology (MIT). Introduced in the 1980s, it was developed as a solution for user authentication in a large, distributed network. It uses a secret thesis key with a complex algorithm.
a. How Kerberos Works
At the beginning of the process, Kerberos asks the user for credentials to obtain a Kerberos ticket granting ticket (TGT). Additional software applications that require authentication, such as Whiskey, revision control systems, and email clients, use the TGT to obtain a service ticket. The ticket is then used to prove the user's identity to the email server or others without having to ask the user to enter credentials again.
If using windows, the flow is Windows login -> get TGT -> Active Directory get service ticket -> user logs in. While in Linux, the flow is login via Kerberos PAM module -> get TGT -> client application like Firefox, SVX, and Evolution use service ticket -> user logs in without re-authentication.
RP provides Client ID to identity provider (OP)
RP points the browser to the SSO URL and provides the Client ID.
The browser redirects to the SSO URL with the Client ID.
OP reads the authorization code and requests user authentication
OP brings up the login page
The browser engine enters the credentials into the OP
OP brings up the user consent page and authenticates then asks for consent
The browser engine gives consent
OP gives authorization code to browser engine
The browser engine provides an list of 1000 cell phone numbers authorization code to the RP.
RP provides authorization code to OP to get ID token and validate user.
OP submits authorization code to request tokens for ID, access, and refresh.
RP provides login access.
b. How to choose an OpenID identity provider for your mobile app development?
Since OpenID is accessible to anyone, you can choose from several popular identity providers, such as Google, Facebook, and Microsoft, as needed. This is different if you need SSO to be authenticated in a group of applications that you develop. For example, service provider A has groups of service applications B and C that have different user databases and authorization functions. Here, A acts as an identity provider for B and C.
If you experience such cases, you can integrate your application with a third-party identity provider. Most identity providers already support the use of SAML and OpenID together.
In short, OpenID modernizes SAML, which already exists and is used by most applications. However, enterprise identity providers generally already support both standards.
Kerberos
Kerberos, derived from Cerberus, the three-headed dog that guards the gates to Hades, is an authentication protocol developed by the Massachusetts Institute of Technology (MIT). Introduced in the 1980s, it was developed as a solution for user authentication in a large, distributed network. It uses a secret thesis key with a complex algorithm.
a. How Kerberos Works
At the beginning of the process, Kerberos asks the user for credentials to obtain a Kerberos ticket granting ticket (TGT). Additional software applications that require authentication, such as Whiskey, revision control systems, and email clients, use the TGT to obtain a service ticket. The ticket is then used to prove the user's identity to the email server or others without having to ask the user to enter credentials again.
If using windows, the flow is Windows login -> get TGT -> Active Directory get service ticket -> user logs in. While in Linux, the flow is login via Kerberos PAM module -> get TGT -> client application like Firefox, SVX, and Evolution use service ticket -> user logs in without re-authentication.