-1

Does OpenID implementation usually works in a way that it redirects the user to the provider site and then back? The case I'm asking about has sign-up/sign-in embedded into the client site so it doesn't actually redirect you anywhere. The client and the OpenID provider are NOT the same organization. So if the "sign in" is embedded into client website, does that mean the client is getting this information as well?

Thank you!

tech1234
  • 1
  • 1

1 Answers1

0

The client receives no credentials, but a token which was created by the provider. So embedded means, all authentification information is only transferred to the provider.

Nachtgold
  • 539
  • 1
  • 6
  • 27
  • That is not true for direct grant (password grant) flow. – Jan Garaj Aug 05 '20 at 19:59
  • That sounds incredible dangerous, so that I didn't even know, that it exists. But you are right - https://oauth.net/2/grant-types/password/ _The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely._ Please don't use that. – Nachtgold Aug 12 '20 at 07:48