OIDC support
Strivacity supports all standard OIDC flows:
- Authorization code flow: Used by single-page or multi-page applications that have access to a backend component. The backend can securely retrieve an
id_token. This is the recommended flow for authenticating users. See Authorization code flow for details. - Authorization code flow with PKCE: Used by applications that cannot safely store a client secret, such as single-page applications. The app uses PKCE to securely exchange the authorization code for tokens. See PKCE flow for details.
- Implicit flow: Historically used by applications without a backend component.
The implicit flow is no longer recommended for single-page applications due to security limitations. Use the authorization code flow with PKCE instead.
- Hybrid flow: A combination of implicit and authorization code flows. Both an
id_tokenand an authorization code are returned by Strivacity. - Client credentials flow: This flow is typically used for Machine-to-Machine (M2M) communications. In Strivacity, this flow can be used to obtain access to REST APIs.
The OAuth2/OIDC settings appear as a tab when creating and editing OIDC clients.
Well-known URLs
Here's a list of well-known URLs for your Strivacity instance:
| Name | URL |
|---|---|
| Well-known OIDC configuration | /.well-known/openid-configuration |
| Authorization endpoint | /oauth2/auth |
| Token endpoint | /oauth2/token |
| User info endpoint | /userinfo |
| Revocation endpoint | /oauth2/revoke |
| Logout URL | /oauth2/sessions/logout |
| JWKS endpoint | /.well-known/jwks.json |
Error handling
Here, you will find a table that helps you understand the various error codes that Strivacity may return to your application during an OIDC Flow.
These error codes are returned to your application via a URL that looks something like this:
https://REDIRECTION_URI?error=<error>&error_description=<description>
| Error code | Description |
|---|---|
| access_denied | Strivacity denied the login request |
| invalid_client | Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method) |
| invalid_grant | The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client |
| invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed |
| invalid_scope | The requested scope is invalid, unknown, or malformed |
| registration_denied | Strivacity denied the registration request |
| request_forbidden | Strivacity denied the request because the session cookie was not present or was malformed |
| server_error | Strivacity encountered an unexpected condition that prevented it from fulfilling the request |
| temporarily_unavailable | Strivacity is currently unable to handle the request due to a temporary overloading or maintenance |
| unauthorized_client | The authenticated client is not authorized to use this authorization grant type |
| unsupported_grant_type | The authorization grant type is not supported by Strivacity |
| unsupported_response_type | Strivacity does not support obtaining an authorization code using this method |
Updated 15 days ago