LogoLogo
  • Technical Direction
  • Technical overview
    • Technical Implementation
    • API Design Guide
      • Data Definitions and Standards
      • Data Transfer Objects
      • Documentation
      • Environments
      • Error Handling
      • Example API Service
      • GraphQL Naming Conventions
      • Methods
      • Naming Conventions
      • Once Only Principle
      • Pagination
      • Resource Oriented Design
      • REST Request
      • REST Response
      • Security
      • Versioning
    • Ísland.is Public Web Data Flow
    • Code Reviews
    • Code Standards
    • Monorepo
    • Project Management
    • Teamwork
    • Architectural Decision Records
      • Use Markdown Architectural Decision Records
      • Use NX
      • Continuous Integration
      • CSS
      • Branching and Release Strategy
      • Error Tracking and Monitoring
      • What API Management Tool to Consider
      • Viskuausan Static Site Generator
      • Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization
      • Unified Naming Strategy for Files and Directories
      • CMS
      • Open Source License
      • What Chart Library Should We Use Across Island.is?
      • What Feature Flag Service/application Should We Use at Island.is?
      • Logging, Monitoring and APM Platform
      • ADR Template
    • Log Management Policy
  • Products
    • Island.is Authentication Service
      • Terminology
      • Integration Options
      • Authentication Flows
      • Authorising API Endpoints
      • Session Lifecycle
      • Scopes and Tokens
      • Delegations
      • Configuration
      • Tools and Examples
      • Environments
      • Test IAS with Postman
      • Using the IAS admin portal
    • Notifications / Hnipp
      • New Notification Setup Guide
      • Notifications service workflow overview
      • Email notifications
    • Pósthólfið
      • Security Checklist
      • Introduction
      • Skjalatilkynning API
      • Skjalaveita API
      • Sequence Diagram
      • Interfaces
    • Straumurinn (X-Road)
      • Architecture Guidelines for Service Providers and Consumers
      • Setting up an X-Road Security Server
        • Network Configuration
      • X-Road - Uppfærsla á öryggisþjónum
      • Straumurinn - Notkun og umsýsla
      • X-Road Central - current version
  • Development
    • Getting Started
    • Generating a New Project
    • Definition of done
    • Devops
      • Continuous Delivery
      • Database
      • Dockerizing
      • Environment Setup
      • Logging
      • Metrics
      • NextJS Custom Server
      • Observability
      • Operations Base Principles
      • Security
      • Service Configuration
      • Support
    • AWS Secrets
    • Feature Flags
    • Documentation Contributions
    • Defining Monorepo Boundaries With Tags
    • OpenAPI
    • Code Generation
    • Workspace Settings (Deprecated)
    • External Contributions
  • REFERENCE
    • Problems
      • 400 Validation Failed
      • 400 Attempt Failed
      • 403 Bad Subject
      • 400 500 Template API Error
    • Glossary
  • Misc
    • Guide: Adding a Payment Step to an Application
    • Guide: Enable Organisations to Make Requests to an Application
    • README Template
Powered by GitBook
On this page
  • Authorization Code + PKCE
  • Library Configuration
  • Client Credentials
  • Library Configuration

Was this helpful?

  1. Products
  2. Island.is Authentication Service

Authentication Flows

PreviousIntegration OptionsNextAuthorising API Endpoints

Last updated 1 year ago

Was this helpful?

Now that we’ve reviewed some of the ways you can integrate IAS, let’s dive into the supported authentication flows.

Authorization Code + PKCE

If you are creating a Mobile App or Website you SHOULD authenticate using the Authorization Code flow with Proof Key for Code Exchange (PKCE).

This flow is secure from multiple kinds of attacks when implemented correctly.

The Authorization Code + PKCE Flow goes through the following steps.

  1. The user clicks the “Login” link in your application.

  2. Your app creates a cryptographically-random Code Verifier which is used to generate a Code Challenge. These two values are needed for the PKCE validation.

  3. Your app redirects the user to IAS’s /connect/authorize endpoint, with Response Type and Code Challenge parameters in the query string to indicate to the IAS the usage of Authorization Code + PKCE flow.

  4. The IAS shows a login screen to the user.

  5. The user authenticates to IAS using Auðkenni.

  6. IAS stores the Code Challenge and redirects the user back to your application with a single-use Authorization Code.

  7. Your app sends the Authorization Code and the Code Verifier to IAS’s /connect/token endpoint.

  8. IAS verifies the Code Challenge and Code Verifier.

  9. IAS returns an ID Token, an Access Token and optionally a Refresh Token.

  10. The App can use the Access Token to call Your API to access information about the user.

  11. Your API validates the Access Token and responds with requested data.

Library Configuration

Using an OIDC library, you need the following parameters to perform a user authentication:

  • Client ID to authenticate your client. You get this from IAS.

  • Client Secret if your client is confidential. You get this from IAS.

  • Scope is a space-separated list of scopes which grants access to specific APIs using the access token or claims in the ID token. You can only list scopes which your client has access to.

  • Redirect Uri specifies where IAS should redirect to after authenticating the user. This MUST match your client configuration in IAS.

  • If your library supports OIDC discovery:

    • Issuer or Authority, the base URL of IAS (see below).

  • Otherwise:

    • Authorization Endpoint, for IAS this is ${Issuer}/connect/authorize

    • Token Endpoint, for IAS this is ${Issuer}/connect/token

Client Credentials

With Client Credentials, the API only authenticates the client performing the request.

The Client Credentials Flow goes through the following steps.

  1. Your app sends its Client ID and Client Secret to IAS’s /connect/token endpoint to authenticate.

  2. IAS validates the Client ID and Client Secret.

  3. IAS returns an Access Token.

  4. The App can use the Access Token to call the API.

  5. The API validates the Access Token and responds with requested data.

Library Configuration

You need the following parameters to perform a client authentication:

  • Client ID and Client Secret to authenticate your client. You get this from IAS.

  • Scope is a space-separated list of scopes which grant access to specific APIs. You can only list scopes which your client has access to.

  • If your library supports OIDC discovery:

    • Issuer or Authority, the base URL of IAS (see below).

  • Otherwise:

    • Token Endpoint, for IAS this is ${Issuer}/connect/token

Authorization Code + PKCE Flow
Client Credentials Flow