Authorization Code Flow for Authentication

The Authorization code flow for OpenID Connect is similar to the Authorization Code Flow that we discussed in the OAuth 2.0 chapter. The only difference is the change in the value of the scope field. It must contain openid as one of the values, followed by other scope values based on what type of user data the client wants.

There are two questions that can be raised:

1. What would happen if the client does not provide an openid in the scope field while sending a request to the authorization server?

The answer is that in this case, the flow will work as a normal authorization flow. The client app will not get access to the user information as it will not receive the identity token.

2. Can user information be fetched from the UserInfo endpoint by sending the access token in the request even if openid was not provided in the scope field when an access token was requested?

The answer is NO. When we send a request to the token endpoint to fetch the access token, then we must send openid in the scope field. We must also send other scope values like email or address if we want to get this information. The access token that is returned is based on the scope values that were sent with the request. When we hit the UserInfo endpoint, then only that user information is returned which the access token is authorized to get.

Let’s say that while sending a request to the token endpoint, the scope value is “openid email”. The client sends this request and gets an access token. If the client sends this access token to the UserInfo endpoint, it will get only email information. It will not get an address or any other information.

Authorization code flow types

There is only one type of Authorization flow. In this flow, the response_type is sent as code.

What tokens the client will get is based on what is being sent in the scope attribute.

1. If the scope contains openid.

Here is the flow for this case.

2. If the scope does not contain openid.

Here is the flow for this case.