I am new to forgerock system and learning have a very basic qns , how application communicate with a journey defined in Forgerock identity cloud .
user acess application (clientid=abc), and application triger the login journey url(/authenticate?loginjourney) of forgerock, forgerock throws login page to authenticate, once authenticated, how forgerock will know return the authorization code to application to further exchange for token.
This may sound silly qns basically trying to find the difference between standard authorization endpoint where clientid, redirect uri is trigger to start authentication and return code, where in case of authenticating through a parrticular journey endpioint is /authenticate?LoginJourney
There are basically two ways of orchestrating an OAuth2/OIDC flow.
Orchestrated by the client app - using an embedded, native login flow: the app authenticate, and upon receiving the SSO token, initiates the OAuth2/OIDC flow. It’s all REST calls in the SPA, native app.
Orchestrated by the OAuth2 provider. This flow is better suited for web portals. The client initiates the authorisation flow. The OAuth2 provider redirects the user for authentication, once the user is authenticated, it is redirected - via the goto URL in the parameters which must be processed by the login app - to complete the authorisation flow. The following artefacts contribute to the selection of the login journey:
- The default login journey setup in the realm.
acr mappings in OIDC provider configuration
- Custom Login URL template configured in the OAuth2 provider (or client configuration override).
In addition, I would suggest going through the below Postman collection and configuring it against your IDCloud tenant. There’s a directory with requests for OAuth2 which can help you understand available endpoints and how the flow works in IDCloud.
Many thanks for the response Patrick,
1st flow i very much clear then client application initiates the authorization endpoint passing its own clientid, redirecturi etc and after authentication , authorization code get redirected to redirecturi of application.
2nd Flow is the one which i want to understand better, so what i am getting is , if i split Login Page out of Forgerock (externally hosted login pages) using sdk, login application process authentication and user session is established then through goto url user will be returned to original Application A, will it be kind of sso between application and login app, & application wont need its own clientid/secret.
Is it kind of portal login authentication being taken through Journey further SSO will happen to applications.
Talking about the SDK, so here you can see that the “embedded” login mode uses the 1rst flow, while “centralised” login uses the second flow.