About OpenID Connect
Overview of OpenID Connect (OIDC) identity layer and ID token claims in EmpowerID.
Authorization Code Grant
Use the Authorization Code grant to obtain access, refresh, and ID tokens; includes PKCE and .NET client examples.
Device Authorization Grant
Use the Device Authorization (Device Code) flow for devices without a browser to obtain user-approved access tokens.
Resource Owner Password
Issue tokens to trusted apps by submitting a user's credentials directly to the token endpoint.
JWT Bearer Grant
Exchange a signed JWT for EmpowerID access/refresh tokens using the JWT Bearer grant.
Client Credentials
Obtain an access token for machine-to-machine apps using the Client Credentials grant.
Client Certificate Grant
Use signed SAML assertions with client credentials to obtain access tokens via the certificate grant.
Refresh Token Grant
Exchange a refresh token for new access/refresh tokens using the Refresh Token grant.
Implicit Grant
Obtain tokens directly from the authorization endpoint using the Implicit grant (legacy browser-based apps).
RP-Initiated Logout
End user sessions at EmpowerID and optionally at relying parties (global logout) using RP-initiated logout.
UserInfo Endpoint
Retrieve claims about the authenticated user via the OpenID Connect UserInfo endpoint.
Token Introspection Endpoint
Validate and inspect access or refresh tokens using the token introspection endpoint.
Token Revoke Endpoint
Revoke access or refresh tokens using the token revoke endpoint.
Token Exchange Endpoint
Exchange external access tokens (e.g., Azure) for EmpowerID tokens using the token exchange endpoint.
Azure Token Auth
How EmpowerID accepts Azure access tokens, exchanges them internally, and enforces access on APIs.