Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Users connecting services to the eduTEAMS Service using OpenID Connect (OIDC) will need to choose which Grants their services need. This page and the following table present guidance for the recommended and supported configurations.

References to the specifications:

A service will typically act as a confidential client and will authenticate with its client-id and client-secret using client_secret_basic or client_secret_post.

Non-confidential clients are marked as "public". These services are usually web-based applications without a backend. According to best practices these clients should support PKCE.

Notice that multiple grants can be selected. However, requesting all Grants is not a valid request (it cannot work).

It is common to request the authorization_code grant alone, or along with the refresh_token grant. This is normal and this is what most clients should look like.
Some clients will request the authorization_code grant and they will be public clients (ie, web-applications). We encourage those clients to support PKCE.

The device-code grant is not common. Only public clients will request this grant.

The token-exchange grant should only be used by advanced clients. This is expected to be requested rarely.
This grant will be requested along with the
authorization_code grant and maybe the refresh_token grant.
These clients
will not be public clients.

Requesting the implicit grant should be very-very-very rare. If implicit is used then no other grant type should be used.

OIDC Client Configuration Options

grant_types_supportedresponse_typesoffline_accessclienth_authn_methodpkce_essentialauthorization_codecode
Grantsoffline_accessClient authentication methodsPKCE
authorization_code
falseclient_secret_basic and client_secret_postfalse
authorization_code
code
falseclient_secret_basic and client_secret_posttrue
authorization_
code
codefalsepublicfalse
authorization_code
code
falsepublictrue
authorization_code and refresh_token
code
trueclient_secret_basic and client_secret_postfalse
authorization_code and refresh_token
code
trueclient_secret_basic and client_secret_posttrue
authorization_code and refresh_token
code
truepublictrue
authorization_code and token-exchange
code
falseclient_secret_basic and client_secret_postfalse
authorization_code and token-exchange
code
falseclient_secret_basic and client_secret_posttrue
authorization_code and token-exchange
code
falsepublictrue
authorization_code and refresh_token and token-exchange
code
trueclient_secret_basic and client_secret_postfalse
authorization_code and refresh_token and token-exchange
code
truepublictrue
implicitid_token token
device_codefalsepublicfalse
device_code and refresh_tokentruepublicfalse
implicitfalsepublicfalse