Learn about authorization in HyperID
HyperID is a robust platform built on top of the OpenID Connect protocol. To utilize HyperID authentication, service providers should implement the traditional OAuth 2 authorization flow.
Service providers are required to register their client application with the HyperID platform. This involves obtaining a client ID and configuring client authentication method, which can be either the basic client secret or the more secure client assertion (details provided in the Client Authentication chapter).
The choice of authorization grant types in OAuth 2 defines how client applications obtain access tokens from the authorization server. HyperID prioritizes security and adopts the access code grant (authorization code grant), which is widely regarded as the most secure and recommended method. With this grant type, the access token remains confidential and is never exposed to the user's browser. This minimizes the risk of token leakage or unauthorized access to sensitive information.
With the access code grant, the client application receives both an access token and a refresh token. The access token facilitates access to protected resources, while the refresh token allows for seamless token renewal without requiring user involvement. This provides better control over the access token's lifespan and ensures continuous access to resources.
By adopting this approach, HyperID minimizes token exposure, enables controlled token renewal, and enhances the overall security and user authentication experience.
User consent is another essential aspect of OAuth 2. Before accessing user data, service providers must obtain explicit consent from the user. This mechanism empowers users with complete control over their data and the actions performed by service providers with their data. HyperID incorporates a user consent mechanism to ensure transparency and user-centric data control.
HyperID authorization flows seamlessly integrate into any web-based system, making it a versatile choice for implementing user authentication. However, when it comes to non-web applications, such as desktop applications or mobile apps, implementing authorization can present some challenges. In such cases, a common solution involves running a simplified web browser component within the application or interacting with system browser applications.