Mobile Application + API
In this scenario you have a Mobile Application “Client” which talks to an API (“Resource Server”).
The application will use OpenID Connect with the Authorization Grant Flow (with the PKCE extension) to authenticate users.
When a user logs in, Domec Tools will return to the application an
id_token, and optionally a
access_token is used to securely call the API on behalf of the user, whereas the
id_token is consumed only by the client and
contains user profile data. Alternatively the user profile can be obtained by calling the
/userinfo endpoint in the Domec Tools
Authentication API with the
refresh_token was obtained (by including the “offline_access” value in the scope query parameter), the Client can use it to obtain a
access_token whenever a previous one expires.
The application will usually store the information about the user’s session (i.e. whether they are logged in, their tokens, user profile data, etc) inside some sort of Local Storage on the mobile device.