Docs

Application-native authentication

# Application-native authentication

Application-native authentication is an extension to the OAuth 2.0 protocol that enables users to authenticate to native and mobile applications without being redirected to a web browser. The sections below explain about the API involved in app-native authentication, the authentication API, and how developers can protect the app-native authentication requests.

# How does it work?

This section looks at the general steps that are involved during application native authentication.

  1. The application initiates an app-native authentication request. This is done with a typical OAuth 2.0 authorization code request but with response_mode set to direct as shown below.

    Learn how to implement login using the authorization code flow.

    Sample request 
    curl --location 'https://localhost:9443/oauth2/authorize/'
--header 'Accept: application/json'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=<client_id>'
--data-urlencode 'response_type=<response_type>'
--data-urlencode 'redirect_uri=<redircet_url>'
--data-urlencode 'state=<state>'
--data-urlencode 'scope=<space separated scopes>'
--data-urlencode 'response_mode=direct'
    1
    2
    3
    4
    5
    6
    7
    8
    9
    Example 
    curl --location 'https://localhost:9443/oauth2/authorize/'
--header 'Accept: application/json'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=VTs12Ie26wb8HebnWercWZiAhMMa'
--data-urlencode 'response_type=code'
--data-urlencode 'redirect_uri=https://example-app.com/redirect'
--data-urlencode 'state=logpg'
--data-urlencode 'scope=openid internal_login'
--data-urlencode 'response_mode=direct'
    1
    2
    3
    4
    5
    6
    7
    8
    9

  2. The application in return, receives a response that contain the flowId parameter. The application then sends a POST request to the /authn endpoint with a payload as shown below.

    In app-native authentication, after the initial request to the /authorize endpoint, subsequent requests are made to the /authn endpoint. The flowId parameter is used to bind the requests made to the /authn endpoint to the initial request.

    Sample request 
    {
"flowId": "{flowId received from the initial response}",
"selectedAuthenticator": {
    "authenticatorId": "{authenticator id for the selected authenticator}",
    "params": {
            "{requested parameters from the authenticator}"
    }
}
}
    1
    2
    3
    4
    5
    6
    7
    8
    9
    Example 
    {
"flowId": "93fd1740-d7b3-4ddb-820d-2ac6d3ce188f",
"selectedAuthenticator": {
    "authenticatorId": "QmFzaWNBdXRoZW50aWNhdG9yOkxPQ0FM",
    "params": {
        "username": "admin",
        "password": "admin"
    }
}
}
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10

  3. The authentication flow completes when the application receives an OAuth 2.0 authorization code with other relevant Oauth 2.0 artifacts in a json format as shown below.

    {
    "code": "6ff8b7e1-01fc-39b9-b56d-a1f5826e6d2a",
    "state": "logpg",
    "session_state": "43b1ffc92c8d349942e99bd0270fca05f934ad6f612b27f40a5fa60b96bd093c.iD4RK8Etr4XruxnYMEvcKQ"
}
    1
    2
    3
    4
    5
© 2024 WSO2 LLC.