CyberArk Identity performs authentication to log in to the end-user or to determine if the user is already logged in. The authentication result is then securely returned to the client so that the client can rely on it. For this reason, the client is also called a relying party. The authentication result is returned in an ID token.
The RP can obtain the ID token and access token using authorization flows. The authorization flow depends on the type of RP. OpenID Connect supports three authorization flows:
Authorization Flow with PKCE is a variant of authorization code flow where instead of client secret, code challenge and code verifier are used. The PKCE flow is recommended for public clients such as SPAs and mobile applications, as client secrets need not be maintained.
Implicit flow: Use the Implicit Flow flow for applications that cannot maintain the secrecy of a client secret (for example, browser-based applications). The application obtains an access token directly in an authorization request (via a redirect), over a secure communication channel, with no intermediate authorization code requested or returned.
Hybrid flow: Use a combination of the previous two authorization flows for applications that can maintain the secrecy of a client secret but don't require the use of a client ID/secret.
The flow used is determined by the response_type value contained in the Authorization Request. These response_type values select these flows:
|code||Authorization code flow|
|id_token token||Implicit flow|
|code token||Hybrid flow|
|code token id_token||Hybrid flow|
|code id_token||Hybrid flow|
Updated 9 months ago