OpenID Connect Authorization Code

Ehsan · January 11, 2022, 10:17pm

0

I am using OpenID Connect in Keycloak as an authentication solution and I’ve just encountered the following scenario.

Client A sends an authorisation request to the Authorization server and provide redirect_url of client B in that request.
Authorization server authenticate the user and redirect the user to the provided redirect_url (which is for client B ) with authentication_code .
Client B communicates with Authorization server with its own client_id and secret and takes its token.

I want to know why OpenID Connect has allowed this process, is it a normal thing for a client to initiate authentication for another client? Why the issued authentication_code is not bound to the client who has initiated the authentication and why it the authentication_code can be used by other client with other client_id ?

Note: I know that validity of redirection_url will be checked in that process but I want to know why authorization code is not bound to client_id itself.

Topic		Replies	Views
Not able to perform the authrorization_code grant using Keycloak	1	8485	September 4, 2021
Authorization Code Grant flow with unlimited number of clients Getting advice authentication , oidc	0	458	June 9, 2020
Post-login redirect Getting advice	0	3831	April 20, 2021
Keycloak with Angular + backend: reuse of code returned from keycloak Getting advice	2	288	December 1, 2023
Adding context to oidc authorization code flow on initial request Getting advice oidc	2	469	October 20, 2022

OpenID Connect Authorization Code

Related topics