Mobile Application + API

In this scenario you have a Mobile Application “Client” which talks to an API (“Resource Server”).

The application will use OpenID Connect with the Authorization Grant Flow (with the PKCE extension) to authenticate users. When a user logs in, Domec Tools will return to the application an access_token, an id_token, and optionally a refresh_token. The access_token is used to securely call the API on behalf of the user, whereas the id_token is consumed only by the client and contains user profile data. Alternatively the user profile can be obtained by calling the /userinfo endpoint in the Domec Tools Authentication API with the access_token.

If a refresh_token was obtained (by including the “offline_access” value in the scope query parameter), the Client can use it to obtain a new access_token whenever a previous one expires.

The application will usually store the information about the user’s session (i.e. whether they are logged in, their tokens, user profile data, etc) inside some sort of Local Storage on the mobile device.