Application-native authentication
# Application-native authentication
Application-native authentication is an extension to the OAuth 2.0 protocol that enables users to authenticate to native and mobile applications without being redirected to a web browser. The sections below explain about the API involved in app-native authentication, the authentication API, and how developers can protect the app-native authentication requests.
- Find detailed information on the Authentication API in the openAPI definition.
- Learn how to implement application-native authentication in the Add application-native login documentation.
# How does it work?
This section looks at the general steps that are involved during application native authentication.
The application initiates an app-native authentication request. This is done with a typical OAuth 2.0 authorization code request but with
response_mode
set todirect
as shown below.Learn how to implement login using the authorization code flow.
Sample request
curl --location 'https://localhost:9443/oauth2/authorize/' --header 'Accept: application/json' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=<client_id>' --data-urlencode 'response_type=<response_type>' --data-urlencode 'redirect_uri=<redircet_url>' --data-urlencode 'state=<state>' --data-urlencode 'scope=<space separated scopes>' --data-urlencode 'response_mode=direct'
1
2
3
4
5
6
7
8
9Example
curl --location 'https://localhost:9443/oauth2/authorize/' --header 'Accept: application/json' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=VTs12Ie26wb8HebnWercWZiAhMMa' --data-urlencode 'response_type=code' --data-urlencode 'redirect_uri=https://example-app.com/redirect' --data-urlencode 'state=logpg' --data-urlencode 'scope=openid internal_login' --data-urlencode 'response_mode=direct'
1
2
3
4
5
6
7
8
9The application in return, receives a response that contain the flowId parameter. The application then sends a POST request to the
/authn
endpoint with a payload as shown below.In app-native authentication, after the initial request to the
/authorize
endpoint, subsequent requests are made to the/authn
endpoint. The flowId parameter is used to bind the requests made to the/authn
endpoint to the initial request.Sample request
{ "flowId": "{flowId received from the initial response}", "selectedAuthenticator": { "authenticatorId": "{authenticator id for the selected authenticator}", "params": { "{requested parameters from the authenticator}" } } }
1
2
3
4
5
6
7
8
9Example
{ "flowId": "93fd1740-d7b3-4ddb-820d-2ac6d3ce188f", "selectedAuthenticator": { "authenticatorId": "QmFzaWNBdXRoZW50aWNhdG9yOkxPQ0FM", "params": { "username": "admin", "password": "admin" } } }
1
2
3
4
5
6
7
8
9
10The authentication flow completes when the application receives an OAuth 2.0 authorization code with other relevant Oauth 2.0 artifacts in a json format as shown below.
{ "code": "6ff8b7e1-01fc-39b9-b56d-a1f5826e6d2a", "state": "logpg", "session_state": "43b1ffc92c8d349942e99bd0270fca05f934ad6f612b27f40a5fa60b96bd093c.iD4RK8Etr4XruxnYMEvcKQ" }
1
2
3
4
5