OneContactLogin architecture

OneContactLogin architecture


OneContactLogin is an OpenID Connect provider - it implements the OpenID Connect and OAuth 2.0 protocols. 



User: A user is a human that is using a registered client to access resources.

Client: A client is a piece of software that requests tokens from OneContactLogin - either for authenticating a user (requesting an identity token) or for accessing a resource (requesting an access token).

A client must be first registered with OneContactLogin before it can request tokens.

Resources: Resources are protect with OneContactLogin - either users identity data, or APIs.

Every resource has a unique name - and clients use this name to specify to which resources they want to get access to.

Identity data: Identity information (aka claims) about a user, e.g. name or email address.

APIs: APIs resources represent functionality a client wants to invoke.

Identity Token: An identity token represents the outcome of an authentication process. It contains at a bare minimum an identifier for the user (called the sub aka subject claim) and information about how and when the user authenticated. It can contain additional identity data.

Access Token: An access token allows access to an API resource. Clients request access tokens and forward them to the API. Access tokens contain information about the client and the user (if present). APIs use that information to authorize access to their data.