GETTING STARTED
The first thing to determine is which grant or flow to use. This depends on the type of application and your evaluation of security risks.
Recommended grants to use on different application types:
Application Type | Preferred Grant Type | Alternative Grant Type |
Native | Resource Owner Password | PKCE |
Mobile | PKCE | Implicit Flow |
Traditional | Authorization Code | - |
Single-Page Web | PKCE | Implicit Flow |
Machine-To-Machine | Client Credentials | - |
Some important questions to ask:
- Where and how to enter username/password:
- Provided in the application.
- Redirect to web page supplied by the Identity Server.
- Do you have multiple applications and do you plan to implement a single sign-on?
- Are you planning to use Multi-factor authentication?
- MFA is currently not supported by Dualog Access but will be supported in a later version.
- What does it take to change your applications?
- How is authentication implemented today, where are users stored, and do you foresee a major redesign?
- Other considerations to take?
RESOURCE OWNER PASSWORD
Version 1.x of Dualog Access only supports this grant type. In a later version, other grant types will be supported as well.
The Resource Owner Password flow allows exchanging the username and password of a user for an access token.
BASIC STEPS
- Ask the user for their credentials.
- The first the application should do is to ask the user for their credentials.
- Exchange the credentials for an access token
- The application must make a POST request to the Dualog Access service for an access token providing the credentials and client information.
Required POST parameters:
- grant_Type - value must be “password” for this flow.
- scope - One or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued. Available scopes: “OpenID”, “profile” and “email”
- client_id - The client identifier. This will be provided by the organization owner. This value corresponds to the value configured for this application on Dualog Portal.
- client_secret - This is a secret provided by the organization owner. This value corresponds to the value configured for this application on Dualog Portal.
- username - The username provided by the user.
- password - The password provided by the user.
EXAMPLE (WITH CURL)
curl -d "grant_type=password" \
-d "client_id=nameoftheclient" \
-d "client_secret=thesecret" \
-d "username=test%40test.com" \
-d "password=_password_" \
https://url
If the user-provided credentials are successfully authenticated, an access token will be returned from the Dualog Access service containing an access token:
{
"issued_at":"0101990561212",
"signature":"SF132DFG3434DFGS345SFL=",
"access_token":"the_access_token"
}
Comments
Article is closed for comments.