-
Notifications
You must be signed in to change notification settings - Fork 2
Primitives by Use Case
Heather Flanagan edited this page Apr 14, 2022
·
5 revisions
| Usage | Protocol | Flow | 3P Cookies (Priority) | Link Decoration (Priority) | Redirect (Priority) | Notes |
|---|---|---|---|---|---|---|
| Sign-in | OIDC | Implicit + form POST | No | Yes (high) | Yes | |
| Sign-in | OIDC | Code flow | No | Yes (high) | Yes | |
| Sign-in | OIDC | SPA: Code + PKCE | No | Yes (high) | Yes | |
| Sign-in | OIDC | SPA: Implicit, fragment | No | Yes (low) | Yes (low) | on its way out; ok to disrupt |
| Sign-in | SAML 2.0 | Redirect + POST | No | Yes (high) | Yes | |
| Sign-in | SAML 2.0 | Artifact binding | No | Yes (high) | Yes | |
| Sign-in | WS-Federation | Redirect + POST | No | Yes (low) | Yes | widely deployed but on its way out |
| Sign-out | OIDC | RP-Initiated Logout | No | Yes (high) | Yes | RP tells the OP to get rid of the session; whether the OP tells others to do the same is a different layer; this may be dependent on implementation |
| Sign-out | OIDC | Front-Channel Logout | Yes (high) | Yes (medium) | No | 3PC: - OpenID Shared Signals and Events - OIDC Backchannel Logout |
| Sign-out | OIDC | Backchannel Logout | No | No | No | |
| Sign-out | OIDC | Common implementation - Session Management | Yes (medium) | No | No | opening an iFrame on your RP is something people do, but isn't in a standard nor is it particularly common. It's a trick people use, and has nothing to do with OIDC-specified session management |
| Sign-out | OIDC | OIDC-specified implementation - Session Management | Yes (medium) | No | No | OIDC session management standard; difficult to package in an SDK so is not particularly common (as far as we know) |
| Sign-out | SAML 2.0 | Single Log Out (SLO) | Maybe (low) | Yes (medium) | Yes | using cookies for SAML SLO is not part of the spec, but some SPs may do it as a way to try and make SLO work |
| Sign-out | WS Fed | Single Log Out (SLO) | Yes (low) | Yes (low) | Yes (low) | Render a page with a list of images, and the source of those images is the URL of the RP that's meant to sign-out |
| Token Retrieval | OAuth 2.0 | Code flow | No | Yes (high) | Yes | quintessential OAuth flow |
| Token Retrieval | OAuth 2.0 | SPA: Code + PKCE | No | Yes (high) | Yes | |
| Token Renewal | OAuth 2.0 | SPA: background token renewal (iframe) | Yes (high) | Yes (low) | Yes | this has alternatives, though it is heavily used today; can use sender-constrained request tokens |
| Token Renewal | OAuth 2.0 | SPA: background token renewal (refresh token) | No | No | No | |
| Token Usage | OAuth 2.0 | JS bearer token | No | No | No |