Implicit Flow - ID Token

Warning

The Implicit flow was used when the client secret cannot be kept confidential. However, the more secure way is performing the PKCE Flow.

How it works

sequenceDiagram
    participant Client
    participant AuthServer as Authentication Server
    participant User

    Client->>AuthServer: Authentication Request
    AuthServer->>User: User Login
    User->>AuthServer: Consent
    AuthServer->>User: Verify User
    AuthServer->>AuthServer: Generate ID Token
    AuthServer-->>Client: Authentication Response (ID Token)
    Client->>AuthServer: ID Token Validation Request
    AuthServer->>AuthServer: Validate ID Token
    AuthServer-->>Client: ID Token Validation Response

When using response_type=id_token Unidy redirects the user with a jwt token parameter to the partner application. This jwt token already contains the userdata.

Decoding

To decode the JWT you must decode each part of the JWT token with base64 decode. To get each part split the token at ".". This is normally done by all the libraries out there for you.