代码改变世界

Oauth flow 1

2023-01-16 12:48  qgbo  阅读(364)  评论(0编辑  收藏  举报

Implicit flow:

客户端组织 一个URL (下面是decodeURIComponent 解码过的 ):
http://authServer/keycloak/realms/dev/protocol/openid-connect/auth?
response_type=id_token token
&client_id=sample
&state=MWF5SGpMVH5EbHU1eXJOdVdYbkpUaUJRaElURExsV0FIRHRZdEdlQ2hzT1Bz;/some-state;p1=1;p2=2?p3=3
&p4=4
&redirect_uri=http://localhost:4200/index.html
&scope=openid
&nonce=MWF5SGpMVH5EbHU1eXJOdVdYbkpUaUJRaElURExsV0FIRHRZdEdlQ2hzT1Bz'

跳转到这个登录页:

填上用户名密码,登录成功会跳转到

http://authServer/keycloak/realms/dev/login-actions/authenticate?session_code=_s3m84hs3ifLDG-Xut4CBGm4lG7JBb26yLSeZCrttMs&execution=da5fb58c-2492-4fe7-bf28-26ddf62112ed&client_id=sample&tab_id=IGA9s44Hn3o

继而会跳转到:

http://localhost:4200/index.html#
state=MWF5SGpMVH5EbHU1eXJOdVdYbkpUaUJRaElURExsV0FIRHRZdEdlQ2hzT1Bz%3B%252Fsome-state%253Bp1%253D1%253Bp2%253D2%253Fp3%253D3%2526p4%253D4&session_state=6e19274a-34a3-4f59-94cf-75c364f96171&id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJocEFnengyYzd6YVNsYXBaVEx3dHZzakk5SVU4X0w3NGJJeW1fWXNmMFZJIn0.eyJleHAiOjE2NzM0MjU1NDcsImlhdCI6MTY3MzQyNDY0NywiYXV0aF90aW1lIjoxNjczNDI0NjQ3LCJqdGkiOiJiMGY1YTM0Ny00YzJhLTRhNDctYmMyNi1mM2Q4NDczY2U0MjUiLCJpc3MiOiJodHRwOi8vMTAuMzguMjUuMTM3OjgwODgva2V5Y2xvYWsvcmVhbG1zL2RldiIsImF1ZCI6InNhbXBsZSIsInN1YiI6IjZmMzc1OGM4LWE0ZDgtNDQxZC05ZmJmLWU1ZTY3ODkyYzY1MiIsInR5cCI6IklEIiwiYXpwIjoic2FtcGxlIiwibm9uY2UiOiJNV0Y1U0dwTVZINUViSFUxZVhKT2RWZFlia3BVYVVKUmFFbFVSRXhzVjBGSVJIUlpkRWRsUTJoelQxQnoiLCJzZXNzaW9uX3N0YXRlIjoiNmUxOTI3NGEtMzRhMy00ZjU5LTk0Y2YtNzVjMzY0Zjk2MTcxIiwiYXRfaGFzaCI6Iml1QkRrbzZUYW5ueGl1QmFmcmx3TEEiLCJhY3IiOiIxIiwic19oYXNoIjoidURCWlZ1ampPSVkteVR1NzhGTl9KZyIsInNpZCI6IjZlMTkyNzRhLTM0YTMtNGY1OS05NGNmLTc1YzM2NGY5NjE3MSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoicSIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.nS89RdJ-2cfD-4TI3j5r7Hp2tgFxEFtwq1_4DE93Js3cidiN_uYM_KiDFiHQoHuiYcEwAySVVutB4ObLormeLf-PYQAh7sFrdT9lyK4ZXgIVSf8boQT61kX5lyX37-RReu8QxqyigC440mONSxrmM1l1i8dNCnGFXPeczPrWXayer3XeJVfSs9oCOE3BlbQBgCWR2tVnbY2-XgeIl1bmqp-hYvWxtPfzDOPZUHecjZWsz-NsVwU-08h9TYksDd4tpFvuCiKMXT5TsjC-en0jYkEigg5YJjZagfoOT1J8bk4HVYW6mJKm6VLXPUh9wueQVa80rMBcTd7RRts3KOA4rg&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJocEFnengyYzd6YVNsYXBaVEx3dHZzakk5SVU4X0w3NGJJeW1fWXNmMFZJIn0.eyJleHAiOjE2NzM0MjU1NDcsImlhdCI6MTY3MzQyNDY0NywiYXV0aF90aW1lIjoxNjczNDI0NjQ3LCJqdGkiOiIzY2U4MGUwNi1hNzM2LTQzNjAtOGY0YS1jZjNjMWUzOWU1NDgiLCJpc3MiOiJodHRwOi8vMTAuMzguMjUuMTM3OjgwODgva2V5Y2xvYWsvcmVhbG1zL2RldiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2ZjM3NThjOC1hNGQ4LTQ0MWQtOWZiZi1lNWU2Nzg5MmM2NTIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUiLCJub25jZSI6Ik1XRjVTR3BNVkg1RWJIVTFlWEpPZFZkWWJrcFVhVUpSYUVsVVJFeHNWMEZJUkhSWmRFZGxRMmh6VDFCeiIsInNlc3Npb25fc3RhdGUiOiI2ZTE5Mjc0YS0zNGEzLTRmNTktOTRjZi03NWMzNjRmOTYxNzEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGV2Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiI2ZTE5Mjc0YS0zNGEzLTRmNTktOTRjZi03NWMzNjRmOTYxNzEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InEiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIifQ.Dfs3lNo3lqU6x6LMk6_Ni0NOUpJYnS-KhH_d4de7c0IK_YDhwvOHWOEz0elHXnxe-P9s7fDzWe9coeWExSgFiJFXrG1V1jYp7bvNAw7XkcELr7rGyTFAZ_HqgVyT2oFyZnSo2i8r1LI1kMNu9YUqK9DeiTpN9xlEW3V2qhpdOZAh3YltdRPSs2qFlMyVmncffvO1M0BtM7a7vQHJubqZZatPmtRdY0-Fc84f9rMvVck4kxET0j5Rr_8dbrpkneNuepwnyjYkf_Dzl7-N5q9oggOhsTktclaRUVnvjLPydL-aRhRFJQOgnSa7UPCxF1dXnWhpMattmDHB9Puo3a_FgA&token_type=Bearer&expires_in=900

 

这里包含了 id_token access_token
state 就是 

state=MWF5SGpMVH5EbHU1eXJOdVdYbkpUaUJRaElURExsV0FIRHRZdEdlQ2hzT1Bz;/some-state;p1=1;p2=2?p3=3
&p4=4
&session_state=6e19274a-34a3-4f59-94cf-75c364f96171
&id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJocEFnengyYzd6YVNsYXBaVEx3dHZzakk5SVU4X0w3NGJJeW1fWXNmMFZJIn0.eyJleHAiOjE2NzM0MjU1NDcsImlhdCI6MTY3MzQyNDY0NywiYXV0aF90aW1lIjoxNjczNDI0NjQ3LCJqdGkiOiJiMGY1YTM0Ny00YzJhLTRhNDctYmMyNi1mM2Q4NDczY2U0MjUiLCJpc3MiOiJodHRwOi8vMTAuMzguMjUuMTM3OjgwODgva2V5Y2xvYWsvcmVhbG1zL2RldiIsImF1ZCI6InNhbXBsZSIsInN1YiI6IjZmMzc1OGM4LWE0ZDgtNDQxZC05ZmJmLWU1ZTY3ODkyYzY1MiIsInR5cCI6IklEIiwiYXpwIjoic2FtcGxlIiwibm9uY2UiOiJNV0Y1U0dwTVZINUViSFUxZVhKT2RWZFlia3BVYVVKUmFFbFVSRXhzVjBGSVJIUlpkRWRsUTJoelQxQnoiLCJzZXNzaW9uX3N0YXRlIjoiNmUxOTI3NGEtMzRhMy00ZjU5LTk0Y2YtNzVjMzY0Zjk2MTcxIiwiYXRfaGFzaCI6Iml1QkRrbzZUYW5ueGl1QmFmcmx3TEEiLCJhY3IiOiIxIiwic19oYXNoIjoidURCWlZ1ampPSVkteVR1NzhGTl9KZyIsInNpZCI6IjZlMTkyNzRhLTM0YTMtNGY1OS05NGNmLTc1YzM2NGY5NjE3MSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoicSIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlfbmFtZSI6IiJ9.nS89RdJ-2cfD-4TI3j5r7Hp2tgFxEFtwq1_4DE93Js3cidiN_uYM_KiDFiHQoHuiYcEwAySVVutB4ObLormeLf-PYQAh7sFrdT9lyK4ZXgIVSf8boQT61kX5lyX37-RReu8QxqyigC440mONSxrmM1l1i8dNCnGFXPeczPrWXayer3XeJVfSs9oCOE3BlbQBgCWR2tVnbY2-XgeIl1bmqp-hYvWxtPfzDOPZUHecjZWsz-NsVwU-08h9TYksDd4tpFvuCiKMXT5TsjC-en0jYkEigg5YJjZagfoOT1J8bk4HVYW6mJKm6VLXPUh9wueQVa80rMBcTd7RRts3KOA4rg
&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJocEFnengyYzd6YVNsYXBaVEx3dHZzakk5SVU4X0w3NGJJeW1fWXNmMFZJIn0.eyJleHAiOjE2NzM0MjU1NDcsImlhdCI6MTY3MzQyNDY0NywiYXV0aF90aW1lIjoxNjczNDI0NjQ3LCJqdGkiOiIzY2U4MGUwNi1hNzM2LTQzNjAtOGY0YS1jZjNjMWUzOWU1NDgiLCJpc3MiOiJodHRwOi8vMTAuMzguMjUuMTM3OjgwODgva2V5Y2xvYWsvcmVhbG1zL2RldiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2ZjM3NThjOC1hNGQ4LTQ0MWQtOWZiZi1lNWU2Nzg5MmM2NTIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUiLCJub25jZSI6Ik1XRjVTR3BNVkg1RWJIVTFlWEpPZFZkWWJrcFVhVUpSYUVsVVJFeHNWMEZJUkhSWmRFZGxRMmh6VDFCeiIsInNlc3Npb25fc3RhdGUiOiI2ZTE5Mjc0YS0zNGEzLTRmNTktOTRjZi03NWMzNjRmOTYxNzEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGV2Iiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiI2ZTE5Mjc0YS0zNGEzLTRmNTktOTRjZi03NWMzNjRmOTYxNzEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InEiLCJnaXZlbl9uYW1lIjoiIiwiZmFtaWx5X25hbWUiOiIifQ.Dfs3lNo3lqU6x6LMk6_Ni0NOUpJYnS-KhH_d4de7c0IK_YDhwvOHWOEz0elHXnxe-P9s7fDzWe9coeWExSgFiJFXrG1V1jYp7bvNAw7XkcELr7rGyTFAZ_HqgVyT2oFyZnSo2i8r1Lu9YUqK9DeiTpN9xlEW3V2qhpdOZAh3YltdRPSs2qFlMyVmncffvO1M0BtM7a7vQHJubqZZatPmtRdY0-Fc84f9rMvVck4kxET0j5Rr_8dbrpkneNuepwnyjYkf_Dzl7-N5q9oggOhsTktclaRUVnvjLPydL-aRhRFJQOgnSa7UPCxF1dXnWhpMattmDHB9Puo3a_FgA
&token_type=Bearer&expires_in=900

 


简单来说,就是根据 client_id 、username, userPassword 就可以拿到token
然而,Implicit flow 有XSS 风险,并且将被deprecated
https://docs.duendesoftware.com/identityserver/v6/bff/overview/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-6.2.1-2


纯前端的应用作为 Client:
解决方案:
1. BFF
2. 仅前端


Code flow:
1. 只有前端:
前端组织URL:

https://localhost:5001/connect/authorize?
client_id=js
&redirect_uri=https://localhost:5003/callback.html
&response_type=code
&scope=openid profile api1
&state=840131826daf48c48eac21bd4f82fdd8
&code_challenge=4XzqTdpyFOemDkc5EjxkinrCwDLcEhGLwnefp3KyJac
&code_challenge_method=S256
&response_mode=query'

点击login, 发出Post(ajax): https://localhost:5001/Account/Login

Input.ReturnUrl: /connect/authorize/callback?client_id=js&redirect_uri=https%3A%2F%2Flocalhost%3A5003%2Fcallback.html&response_type=code&scope=openid%20profile%20api1&state=840131826daf48c48eac21bd4f82fdd8&code_challenge=4XzqTdpyFOemDkc5EjxkinrCwDLcEhGLwnefp3KyJac&code_challenge_method=S256&response_mode=query
Input.Username: bob
Input.Password: bob
Input.Button: login
__RequestVerificationToken: CfDJ8DEynZE4FYxIgd_eScJy2-eAX2gAwvJazE66a_5lLAWd-U63z8TiP4_aU-OhMvJaYTMCyJcAvDLkT80E7OH0mJ5zhTCl926dJcfbzeYHSdquhfhYSXabGMjBBwRWHOLXUb-LnR9RpHNMwGE02exKs-Y
Input.RememberLogin: false

responds: 还是302

https://localhost:5001/connect/authorize/callback
?client_id=js
&redirect_uri=https://localhost:5003/callback.html
&response_type=code
&scope=openid profile api1
&state=840131826daf48c48eac21bd4f82fdd8
&code_challenge=4XzqTdpyFOemDkc5EjxkinrCwDLcEhGLwnefp3KyJac
&code_challenge_method=S256
&response_mode=query

 


then redirect (Not ajax) to frontend:

'https://localhost:5003/callback.html?
code=F6CC0BB21365F95C83D83AE5C93ADBF12FEDD4321AD7235B50F9CE5785A713FF-1
&scope=openid profile api1
&state=840131826daf48c48eac21bd4f82fdd8
&session_state=tkZWJqL3gCYqO5czAqOaPIyioP-DzuV1GmEQqGTyYmI.FBC41B36FE1C402E784C561205E2322A
&iss=https://localhost:5001

Finally get the token:
Post https://localhost:5001/connect/token
Body:

client_id: js
code: F6CC0BB21365F95C83D83AE5C93ADBF12FEDD4321AD7235B50F9CE5785A713FF-1
redirect_uri: https://localhost:5003/callback.html
code_verifier: a6061bcf32044961be74635e642df8ddb6d887e777e2458b832321fd2fb135122567dd7e081e44b7b76baf43f95a1efc
grant_type: authorization_code

Code flow:

1. 前端with backend :
前端组织URL:Get https://localhost:5003/bff/login

response: 302 : this url is composed by BFF



location: https://localhost:5001/connect/authorize? client_id=bff 
&redirect_uri=https://localhost:5003/signin-oidc 
&response_type=code &scope=openid profile api1 
&code_challenge=c6hQ4ueaiGHsi3SmDMLXxvPcsaIvv8wOt6EW2AHnqQQ 
&code_challenge_method=S256 
&response_mode=form_post 
&nonce=638094307817756258.MDQxMjIzZjUtN2QwMS00OTk3LTg2Y2QtN2I4ZGVmOGQxMTFkMDgzNWVhNjMtMTIwYS00NzEzLTg1YzgtZDFmMGM1ZjliNWM2 
&state=CfDJ8DEynZE4FYxIgd_eScJy2-fxy-qSMCvgVqr_Xt90mVWHF2eOuJGazj-gM5AtxMA6ApOJebUPipZy4eB4Bbc1J0O5mjW_H2ue2Uqu37K1VZLKD9TwkzKt4WrQyb6HIAaeLLVYAtoVSyvV3AGe5WMtGyG3Isjh78MzP3n9X1ZudwasUuhK9iiQYovQKNf_HEB-CRx1HYBDJaqGe_w6GrF6oYIE-6-EabBjNE054nxCVxD8dThtscmD8zDGiHJpKvuABRU4fwPDwnkmPfHF8heDdXrXZ2kN75Rzd_nllEMI7x8ty0gQTJqIODV-tfuUDQ6CHA-InpChpN0elPqiszF-6aQliahUKs5b-bYtXogdGGrHYiFpM7o_RlmPPlejgCTm1Q


&x-client-SKU=ID_NETSTANDARD2_0
&x-client-ver=6.10.0.0'




 


2.then redirect the previous URL
response: 302 




location: https://localhost:5001/Account/Login?ReturnUrl=/connect/authorize/callback?client_id=bff&redirect_uri=https://localhost:5003/signin-oidc&response_type=code&scope=openid profile api1&code_challenge=c6hQ4ueaiGHsi3SmDMLXxvPcsaIvv8wOt6EW2AHnqQQ&code_challenge_method=S256&response_mode=form_post&nonce=638094307817756258.MDQxMjIzZjUtN2QwMS00OTk3LTg2Y2QtN2I4ZGVmOGQxMTFkMDgzNWVhNjMtMTIwYS00NzEzLTg1YzgtZDFmMGM1ZjliNWM2&state=CfDJ8DEynZE4FYxIgd_eScJy2-fxy-qSMCvgVqr_Xt90mVWHF2eOuJGazj-gM5AtxMA6ApOJebUPipZy4eB4Bbc1J0O5mjW_H2ue2Uqu37K1VZLKD9TwkzKt4WrQyb6HIAaeLLVYAtoVSyvV3AGe5WMtGyG3Isjh78MzP3n9X1ZudwasUuhK9iiQYovQKNf_HEB-CRx1HYBDJaqGe_w6GrF6oYIE-6-EabBjNE054nxCVxD8dThtscmD8zDGiHJpKvuABRU4fwPDwnkmPfHF8heDdXrXZ2kN75Rzd_nllEMI7x8ty0gQTJqIODV-tfuUDQ6CHA-InpChpN0elPqiszF-6aQliahUKs5b-bYtXogdGGrHYiFpM7o_RlmPPlejgCTm1Q&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0




 



this is login page:  response:200, get html


3.after clicking login with name and password, sent a Post(this is form, Not ajax,not same as without backend): https://localhost:5001/Account/Login
Body:




Input.ReturnUrl:/connect/authorize/callback?client_id=bff&redirect_uri=https://localhost:5003/signin-oidc&response_type=code&scope=openid profile api1&code_challenge=c6hQ4ueaiGHsi3SmDMLXxvPcsaIvv8wOt6EW2AHnqQQ&code_challenge_method=S256&response_mode=form_post&nonce=638094307817756258.MDQxMjIzZjUtN2QwMS00OTk3LTg2Y2QtN2I4ZGVmOGQxMTFkMDgzNWVhNjMtMTIwYS00NzEzLTg1YzgtZDFmMGM1ZjliNWM2&state=CfDJ8DEynZE4FYxIgd_eScJy2-fxy-qSMCvgVqr_Xt90mVWHF2eOuJGazj-gM5AtxMA6ApOJebUPipZy4eB4Bbc1J0O5mjW_H2ue2Uqu37K1VZLKD9TwkzKt4WrQyb6HIAaeLLVYAtoVSyvV3AGe5WMtGyG3Isjh78MzP3n9X1ZudwasUuhK9iiQYovQKNf_HEB-CRx1HYBDJaqGe_w6GrF6oYIE-6-EabBjNE054nxCVxD8dThtscmD8zDGiHJpKvuABRU4fwPDwnkmPfHF8heDdXrXZ2kN75Rzd_nllEMI7x8ty0gQTJqIODV-tfuUDQ6CHA-InpChpN0elPqiszF-6aQliahUKs5b-bYtXogdGGrHYiFpM7o_RlmPPlejgCTm1Q&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0
Input.Username: bob
Input.Password: bob
Input.Button: login
__RequestVerificationToken: CfDJ8DEynZE4FYxIgd_eScJy2-djHuc-6Azyj7LiOiWMNAcc6qsf9DOkdauWTwO03U2V1xclxLQbPTH-1nCqSAP3a87FM9aRN_F0p4mK0L-0B4k2tpJ02xybvPvIEpFSEtqYPyPLPt7NBhTzvjTHvx7iq5A
Input.RememberLogin: false




 



respond is 302:




location: /connect/authorize/callback?client_id=bff&redirect_uri=https://localhost:5003/signin-oidc&response_type=code&scope=openid profile api1&code_challenge=c6hQ4ueaiGHsi3SmDMLXxvPcsaIvv8wOt6EW2AHnqQQ&code_challenge_method=S256&response_mode=form_post&nonce=638094307817756258.MDQxMjIzZjUtN2QwMS00OTk3LTg2Y2QtN2I4ZGVmOGQxMTFkMDgzNWVhNjMtMTIwYS00NzEzLTg1YzgtZDFmMGM1ZjliNWM2&state=CfDJ8DEynZE4FYxIgd_eScJy2-fxy-qSMCvgVqr_Xt90mVWHF2eOuJGazj-gM5AtxMA6ApOJebUPipZy4eB4Bbc1J0O5mjW_H2ue2Uqu37K1VZLKD9TwkzKt4WrQyb6HIAaeLLVYAtoVSyvV3AGe5WMtGyG3Isjh78MzP3n9X1ZudwasUuhK9iiQYovQKNf_HEB-CRx1HYBDJaqGe_w6GrF6oYIE-6-EabBjNE054nxCVxD8dThtscmD8zDGiHJpKvuABRU4fwPDwnkmPfHF8heDdXrXZ2kN75Rzd_nllEMI7x8ty0gQTJqIODV-tfuUDQ6CHA-InpChpN0elPqiszF-6aQliahUKs5b-bYtXogdGGrHYiFpM7o_RlmPPlejgCTm1Q&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0




 


4. redirect the previous URL
respond is 200,and set cookie:




set-cookie: ConsentResponse.vnI0Wizzcz3ptfheEhtiYfdzceJCAbknI7Jxao2pw7g=.; expires=Fri, 31 Dec 1999 16:00:00 GMT; path=/; secure; httponly
set-cookie: idsrv=CfDJ8DEynZE4FYxIgd_eScJy2-etJoSAwz9zMsjfVXbStqAq3vHmITcxv7DYJAk-cI0K5HJaRXdQ0Y9PAYt58R8-wJ1fnNO8v1u1Bt0DbZPErdY8usRWGxuIYlu6VgVcd6I8VjgISzVjrDazdjF5ih9d3Ki2Qnvh4WbMn6t4bMOjD4J2HMBnU-5y3-oI_h-Q81YiGD5siXjVnm6zFj4z9dLZ2bOnWXw1AdvXCoeDKE9K-DNzcWpR1xuGhuQxLBxd_MAKWdOziBqh5TCHzTGJBjEgCdw9VM5aQw1yXlLaZGz9ul7WGQrGeLA7aHahlxNgK5WDs_ArByVjjWVO1CJb9KkQBVSpAMNHaaHp-Qs8ImUGx0cK8OUs5PWWUHQHAvR4BH7D1kU0cfNwfEWioZ0YkEqkmahw-HgBsb9-AqmLjBYw0KUBLyEPHouCaJi9Cf5pDSGdP3NgnxtkTY981VGI4iT_i6nDbvVFdvI3mom-niQ6I_37TTMeE4Qbn_juOybgYBhYtbUAKJX0TmQI7ocAQ-TlgCYTJWQ4-YLzXHiQZlpVVJNjDS_11Cz2ESuY7myhouajkQ; path=/; secure; samesite=none; httponly




 


5. (Post,not ajax?) https://localhost:5003/signin-oidc




code: C4AA938879C515341292DF0B673B2435A0CFE71053EE5C41A273C507CF9B91A9-1
scope: openid profile api1
state: CfDJ8DEynZE4FYxIgd_eScJy2-fxy-qSMCvgVqr_Xt90mVWHF2eOuJGazj-gM5AtxMA6ApOJebUPipZy4eB4Bbc1J0O5mjW_H2ue2Uqu37K1VZLKD9TwkzKt4WrQyb6HIAaeLLVYAtoVSyvV3AGe5WMtGyG3Isjh78MzP3n9X1ZudwasUuhK9iiQYovQKNf_HEB-CRx1HYBDJaqGe_w6GrF6oYIE-6-EabBjNE054nxCVxD8dThtscmD8zDGiHJpKvuABRU4fwPDwnkmPfHF8heDdXrXZ2kN75Rzd_nllEMI7x8ty0gQTJqIODV-tfuUDQ6CHA-InpChpN0elPqiszF-6aQliahUKs5b-bYtXogdGGrHYiFpM7o_RlmPPlejgCTm1Q
session_state: fnMcvdp-bP8LJV3MWd5Mb3RO4Betp9iJnn6nl0IOaXs.3299BA4F582856E7CE9C3934FBB7698D
iss: https://localhost:5001




 


respond is 302: location: /, The client, UI can be seen on screen.
the user info can be got


the step 1 and step 5 is client, while 2,3,4 is about auth server.