OpenIddict is an extensible OpenID Connect and OAuth 2.0 framework for ASP.NET Core. It provides the necessary infrastructure to implement an authorization server, a client, and a resource server. To achieve this, OpenIddict relies on several key entities that represent different aspects of the OAuth 2.0 and OpenID Connect specifications.
OpenIddict Entities
OpenIddict primarily uses the following entities (or their underlying data models) to manage the state and configuration of your authorization server:
OpenIddictApplication
The OpenIddictApplication entity represents a client application that can request tokens from your OpenIddict server.
- Purpose: Stores information about registered clients, such as their
ClientId,ClientSecret,RedirectUris,PostLogoutRedirectUris,Permissions(what flows/endpoints/scopes they’re allowed to use), andDisplayName. - Usage in Flows:
- Authorization Flow: When a client initiates an authorization request, OpenIddict validates the
ClientIdandRedirectUriagainst the registeredOpenIddictApplicationentry. - Token Flow: For confidential clients, the
ClientSecretis validated during the token exchange. ThePermissionsassociated with the application determine which grant types it can use. - Introspection Flow: An API (acting as an introspection client) would typically authenticate itself using its
ClientIdandClientSecret(or other means) to call the introspection endpoint. - Revocation Flow: Similar to introspection, the client requesting token revocation identifies itself via its
ClientIdandClientSecret. - Logout Flow: The
PostLogoutRedirectUrisare used to redirect the user back to the client after a successful logout.
- Authorization Flow: When a client initiates an authorization request, OpenIddict validates the
OpenIddictAuthorization
The OpenIddictAuthorization entity represents a grant of consent given by a resource owner (user) to a client application for a set of scopes.
- Purpose: Tracks user consents for applications, preventing the need to prompt the user for consent repeatedly for the same scopes. Authorizations can be “permanent” (explicitly granted by a developer or sysadmin) or “ad-hoc” (automatically created by OpenIddict to link a chain of tokens for security purposes, e.g., in the authorization code flow).
- Usage in Flows:
- Authorization Flow: If a permanent authorization already exists for the requesting client and scopes, OpenIddict might bypass the consent screen, streamlining the user experience. Ad-hoc authorizations are created to link authorization codes to subsequent access/refresh tokens.
- Token Flow: When exchanging an authorization code for tokens, OpenIddict might associate the new tokens with an existing ad-hoc authorization.
- Revocation Flow: Revoking an authorization can invalidate all tokens associated with that authorization.
OpenIddictScope
The OpenIddictScope entity represents a permission or a group of permissions that a client can request on behalf of a user.
- Purpose: Defines the various scopes (e.g.,
openid,profile,email, custom API scopes) that can be granted. It also allows associating resources with scopes. - Usage in Flows:
- Authorization Flow: The client requests specific
scopes, and the user is typically presented with these scopes for consent. TheOpenIddictAuthorizationthen records the granted scopes. - Token Flow: The scopes granted in the authorization flow are included in the issued access token, defining the permissions the client has when accessing protected resources.
- UserInfo Flow: The scopes like
openid,profile,emaildetermine which claims are included in the UserInfo response.
- Authorization Flow: The client requests specific
OpenIddictToken
The OpenIddictToken entity represents various types of tokens issued by the authorization server.
- Purpose: Stores information about issued
Authorization Codes,Access Tokens,Refresh Tokens,Identity Tokens, andDevice Codes. This allows for their lookup, validation, and revocation. OpenIddict supports both JWT (JSON Web Token) and opaque reference tokens. - Usage in Flows:
- Authorization Flow: An
Authorization Codeis issued and stored, linking back to theOpenIddictApplicationandOpenIddictAuthorization. - Token Flow: The
Authorization Codeis exchanged for anAccess Tokenand optionally aRefresh TokenandIdentity Token. These tokens are stored (unless token storage is explicitly disabled) and linked to theOpenIddictApplicationandOpenIddictAuthorization. - Introspection Flow: An introspection request involves looking up an
Access Tokenin theOpenIddictTokenstore to determine its validity and associated claims. - Revocation Flow: A revocation request explicitly targets an
Access TokenorRefresh Tokento mark it as invalid in theOpenIddictTokenstore, preventing its future use.
- Authorization Flow: An
Main OpenIddict Flows and Entity Usage
Here’s how these entities are used in the core OAuth 2.0 and OpenID Connect flows supported by OpenIddict:
1. Authorization Code Flow
This is the most common and recommended flow for web applications and mobile apps.
- Step 1: Authorization Request (Client to Authorization Server) ➡️
- The client redirects the user’s browser to the authorization endpoint, including parameters like
client_id,redirect_uri,response_type=code, andscope. OpenIddictApplication: OpenIddict validates theclient_idandredirect_uriagainst the registeredOpenIddictApplicationentries. It also checks if the requestedscopes are permitted for this application.
- The client redirects the user’s browser to the authorization endpoint, including parameters like
- Step 2: User Authentication & Consent (User with Authorization Server) 👨💻✅
- If the user isn’t authenticated, they’re redirected to a login page (handled by your application, not OpenIddict directly).
- If no prior consent exists for the requested scopes, OpenIddict prompts the user for consent.
OpenIddictAuthorization: If the user grants consent, a newOpenIddictAuthorizationentry (or an existing one is updated) is created/retrieved, recording the user’s approval for the client to access the specified scopes.
- Step 3: Authorization Code Grant (Authorization Server to Client) 📝
- OpenIddict generates a short-lived
Authorization Code. OpenIddictToken: AnOpenIddictTokenentry is created to store thisAuthorization Code, linked to theOpenIddictApplicationandOpenIddictAuthorization.- The user’s browser is redirected back to the
redirect_uriwith theAuthorization Code.
- OpenIddict generates a short-lived
- Step 4: Token Request (Client to Authorization Server) 🔑
- The client makes a back-channel request to the token endpoint, exchanging the
Authorization Code(andclient_secretfor confidential clients) for tokens. OpenIddictApplication: Theclient_idandclient_secretare validated against theOpenIddictApplication.OpenIddictToken: OpenIddict validates theAuthorization Codeby looking it up in theOpenIddictTokenstore. If valid, it then issues anAccess Tokenand optionally aRefresh TokenandIdentity Token. These new tokens are also stored asOpenIddictTokenentries, often linked to the originalOpenIddictAuthorizationandOpenIddictApplication.
- The client makes a back-channel request to the token endpoint, exchanging the
- Step 5: Resource Access (Client to Resource Server) 🛡️
- The client uses the
Access Tokento call protected APIs on a resource server.
- The client uses the
2. Client Credentials Flow
This flow is used when a client (e.g., a service or daemon) needs to access resources it owns, without any user involvement.
- Step 1: Token Request (Client to Authorization Server) 🔑
- The client sends a request directly to the token endpoint with its
client_idandclient_secret, andgrant_type=client_credentials. OpenIddictApplication: OpenIddict validates theclient_idandclient_secretagainst theOpenIddictApplicationentity. It also checks if the application has permission to use the “client credentials” grant type and any requested scopes.OpenIddictToken: If valid, OpenIddict issues anAccess Tokenand stores it as anOpenIddictTokenentry, linked to theOpenIddictApplication.
- The client sends a request directly to the token endpoint with its
- Step 2: Resource Access (Client to Resource Server) 🛡️
- The client uses the
Access Tokento call protected APIs.
- The client uses the
3. Refresh Token Flow
Used to obtain new access tokens when existing ones expire, without requiring the user to re-authenticate.
- Step 1: Token Request (Client to Authorization Server) 🔄
- The client sends a request to the token endpoint with a
refresh_tokenandgrant_type=refresh_token. OpenIddictApplication: OpenIddict validates the client requesting the refresh.OpenIddictToken: OpenIddict validates the providedrefresh_tokenby looking it up in theOpenIddictTokenstore. If valid and not revoked, it issues a newAccess Token(and optionally a newRefresh Token). Both the new and potentially the old tokens are updated/stored asOpenIddictTokenentries. The originalRefresh Tokenmight be invalidated, or a new one issued.OpenIddictAuthorization: The new tokens are typically linked to the existingOpenIddictAuthorizationthat granted the original refresh token.
- The client sends a request to the token endpoint with a
4. Introspection Flow
Allows resource servers to determine the active state and contents of an access token.
- Step 1: Introspection Request (Resource Server to Authorization Server) 🕵️
- A resource server receives an access token and sends it to the introspection endpoint along with its own client credentials.
OpenIddictApplication: The resource server’sclient_idandclient_secretare validated against itsOpenIddictApplicationentry to ensure it has permission to perform introspection.OpenIddictToken: OpenIddict looks up the provided access token in theOpenIddictTokenstore. If found and active, it returns information about the token, such as its active status, associated claims, and expiration.
5. Revocation Flow
Allows clients to revoke previously issued access or refresh tokens.
- Step 1: Revocation Request (Client to Authorization Server) ❌
- The client sends a request to the revocation endpoint with the token to be revoked (access token or refresh token) and its client credentials.
OpenIddictApplication: The client’sclient_idandclient_secretare validated against itsOpenIddictApplicationentry to ensure it has permission to revoke tokens.OpenIddictToken: OpenIddict finds the specified token in theOpenIddictTokenstore and marks it as revoked, preventing its further use.OpenIddictAuthorization: If the revoked token was aRefresh Tokenor anAuthorization Codethat was part of an ad-hoc authorization, OpenIddict might also revoke other associated tokens or the authorization itself to maintain security and consistency.
6. UserInfo Flow (OpenID Connect Specific)
Allows clients to retrieve claims about the authenticated end-user.
- Step 1: UserInfo Request (Client to UserInfo Endpoint) ℹ️
- After obtaining an access token (usually from the Authorization Code Flow), the client makes a GET or POST request to the UserInfo endpoint, including the
Access Tokenin the Authorization header. OpenIddictToken: OpenIddict validates theAccess Tokenby looking it up in theOpenIddictTokenstore (if configured for reference tokens) or by validating its signature and expiration (for JWTs).OpenIddictScope: The scopes granted for theAccess Token(stored inOpenIddictAuthorizationand represented byOpenIddictScopeentities) determine which user claims are returned in the UserInfo response (e.g.,profilescope for name, family name;emailscope for email address).
- After obtaining an access token (usually from the Authorization Code Flow), the client makes a GET or POST request to the UserInfo endpoint, including the
7. Logout Flow (OpenID Connect Specific)
Allows the user to log out from the authorization server and potentially all connected clients.
- Step 1: End Session Request (Client to Authorization Server) 👋
- The client redirects the user’s browser to the end session endpoint, optionally providing an
id_token_hintandpost_logout_redirect_uri. OpenIddictApplication: OpenIddict validates thepost_logout_redirect_uriagainst the registeredOpenIddictApplicationentry.OpenIddictToken: OpenIddict may use theid_token_hintto identify the user’s session and perform a server-side logout, potentially invalidating associatedOpenIddictTokenentries.- OpenIddict performs its internal logout logic (e.g., clearing server-side session data).
- The client redirects the user’s browser to the end session endpoint, optionally providing an
- Step 2: Redirection (Authorization Server to Client) 🔙
- The user’s browser is redirected back to the
post_logout_redirect_urion the client. The client then performs its own local logout.
- The user’s browser is redirected back to the
These entities and their interactions are fundamental to how OpenIddict manages the security and identity aspects of your applications, providing a robust and flexible framework for implementing OAuth 2.0 and OpenID Connect.