- Print
- PDF
Ncloud Single Sign-On concept
- Print
- PDF
Available in Classic and VPC
Before learning how to integrate Ncloud Single Sign-On, this section describes some concepts required for Ncloud Single Sign-On integration. The following are the main concepts to be explained.
- OAuth 2.0 definition
- OAuth 2.0 roles
- OpenID Connect
- Access Token
- Refresh Token
- ID Token
- OAuth 2.0 authentication flow
- SAML 2.0 definition
- SAML 2.0 roles
OAuth 2.0 definition
OAuth 2.0 is an open standard authorization protocol for granting permissions. OAuth 2.0 delegates permission for an application to access a resource server on behalf of a user who owns the resource.
OAuth 2.0 roles
The roles defined in OAuth 2.0 are as follows:
Role | Definition |
---|---|
Resource Owner | User who can approve access to protected resources. The resource owner owns the protected resource and the client with access permission accesses the resource on behalf of the resource owner. |
Client | An application that receives an access token as a credential instead of the resource owner to access protected resources |
Identity Provider | A server that authenticates the resource owner and issues an access token to the client based on the resource owner's authorization approval |
Resource Server | A server that verifies and responds to access requests when a client accesses a resource using an access token, and provides protected resources |
OpenID Connect
OpenID Connect is a protocol that is based on OAuth 2.0 and issues an ID token containing user information from IdP when issuing a token.
Access Token
Access token refers to a string issued by the IdP that serves as a credential indicating the client's authorization to access protected resources. Clients can access the resource server using an access token.
Refresh Token
Refresh Token is a token issued by IdP used to extend the expiration time of an expired access token or to issue additional access tokens with the same or narrower scope. When the client sends the access token issuance API including the refresh token to the IdP, it verifies that it has not been forged or altered and issues an access token.
ID Token
An ID token is a JWT format token that contains user information and is issued by the IdP along with an access token if you include id_token
in scope
when requesting token issuance.
OAuth 2.0 authentication flow
The flow of the OAuth 2.0 authentication protocol is as follows:
This section describes the OAuth 2.0 flow, from the resource owner initiating the flow to the client accessing the protected resources. For more information on the API used in the flow, see Ncloud Single Sign-On integration API.
Authorization code flow
The authorization code flow is the most common authentication flow, and the description of the flow is as follows:
- The resource owner clicks the login button to initiate the flow.
- The client sets the response type to code to access the protected resource and requests permission.
- The IdP sends the resource owner the consent page and login page for providing privacy information.
- The resource owner approves the granting of permission by agreeing and logging in.
- The IdP sends the authorization code to the client.
- The client requests the issuance of an access token from the IdP using the authorization code.
- The IdP verifies the authorization code and issues a token.
- The client with the access token accesses the resource server and requests the protected resource.
- The resource server delivers the requested resource to the client.
PKCE flow
The PKCE flow is an authorization code flow that enhances security when proceeding with the flow, and the description of the flow, including PKCE, is as follows:
- The resource owner clicks the login button to initiate the flow.
- The client generates a code verifier and code challenge.
- If you include the code challenge and code challenge method created by the client in the authorization request, the IdP will store the values.
- The IdP sends the resource owner the consent page and login page for providing privacy information.
- The resource owner approves the granting of permission by agreeing and logging in.
- The IdP sends the authorization code to the client.
- The client requests the issuance of an access token from the IdP by including the code verifier and authorization code.
- The IdP compares the saved code challenge and code verifier to verify whether they match or not.
- If the two values match, the IdP issues an access token.
- The client with the access token accesses the resource server and requests the protected resource.
- The resource server delivers the requested resource to the client.
Implicit flow
The implicit flow is suitable for client environments where it is difficult to securely store and manage credentials, and the flow is described as follows:
- The resource owner clicks the login button to initiate the flow.
- The client sets the response method to token and requests authorization.
- The IdP sends the resource owner the consent page and login page for providing privacy information.
- The resource owner approves the granting of permission by agreeing and logging in.
- The IdP issues an access token.
- The client with the access token accesses the resource server and requests the protected resource.
- The resource server delivers the requested resource to the client.
SAML 2.0 definition
SAML 2.0 is a web-based, open standard authentication protocol. SAML 2.0 is a standard information format used when exchanging user authentication and authorization information between applications, allowing IdPs and SPs to securely exchange and authenticate user information.
SAML 2.0 roles
The roles defined in SAML 2.0 are as follows:
Role | Definition |
---|---|
Service Provider (SP) | The entity that provides the service. It mainly refers to the application or service that the SSO user wants to use and requests the user's authentication information from the Identity Provider (IdP). |
Identify Provider (IdP) | A system that verifies the user's authentication information requested by the Service Provider (SP) and provides the user's authentication information to the Service Provider (SP) |
SAML Request | It refers to a request message to exchange authentication information between the Identity Provider (IdP) and the Service Provider (SP) and includes information to create SAML Assertion (authentication information). |
SAML Response | It refers to a response message to exchange authentication information between the Identity Provider (IdP) and the Service Provider (SP) and includes SAML Assertion (authentication information) and other necessary metadata. Through this, the IdP verifies the user's authentication information and provides the authentication result to the SP. |
SAML Assertion | It is an XML document containing the user's authentication information, such as ID, authentication time, and authentication method. It is transferred from the Identity Provider (IdP) to the Service Provider (SP). Through this, the SP verifies the user's authentication. |
ACS URL | The URL used by the Service Provider (SP) to provide Assertion Consumer Service (ACS) |