Identity providers
An identity provider (IdP) is a system or service that manages user authentication, identity information, and consent. Open Payments requires any authorization server (AS) that issues interactive grants A grant requiring explicit interaction/consent from the resource owner before an access token can be issued be integrated with an IdP.
After an interactive grant request is initiated and the AS sets the session, the AS provides the client with the IdP URI to redirect the end-user to.
sequenceDiagram
Client instance->>Authorization server (AS): Sends interactive grant request
Authorization server (AS)-->>Client instance: 200 returns interact redirect uri and continue uri
Client instance->>Authorization server (AS): Navigates to interact redirect uri
Authorization server (AS)->>Authorization server (AS): Starts interaction and sets session
Authorization server (AS)-->>Client instance: 302 temporary redirect to identity provider
uri with grant info in query string
Client instance->>Identity provider (IdP): Redirects to identity provider
Identity provider (IdP)->>Identity provider (IdP): Resource owner (e.g. client end-user)
accepts interaction
Identity provider (IdP)->>Authorization server (AS): Sends interaction choice
Authorization server (AS) -->>Identity provider (IdP): 202 choice accepted
Identity provider (IdP)->>Authorization server (AS): Requests to finish interaction
Authorization server (AS)->>Authorization server (AS): Ends session
Authorization server (AS)-->>Identity provider (IdP): 302 temporary redirect to finish url
(defined in initial grant request)
secured with unique hash and
interact_ref in query string
Identity provider (IdP)->>Client instance: Follows redirect
Client instance->>Client instance: Verifies hash
Client instance->>Authorization server (AS): Sends grant continuation request with
interact_ref in body to continue uri
Authorization server (AS)->>Client instance: 200 returns grant access token