Todo
The picture above is a schematic representation of the login flow of the SURFconext OpenID Connect proxy. To get a feeling of how things work in reality, you can play around with our playground: https://authz-playground.connect.surfconext.nl .
User clicks "login via SURFconext"
Client (SP) generates OpenID Connect Authorize request
Client (SP) redirects user to the OpenID Connect Authorization endpoint
OpenID Connect server receives request and prepares a SAML redirect
WAYF: User selects institution on WAYF
IdP parses request, authenticates user
IdP redirects back to SURFconext with SAML response
SURFconext sends a SAML response to the OpenID Connect gateway
The OpenID connect gateway verifies the reponse, generates a code, and redirects the user to the Client (SP) with the code
The Client (SP) receives the code
The Client (SP) prepares a backchannel request to the exchange the token for an access and ID token
The OpenID connect gateway receives the token, checks the validity
The OpenID connect gateway generates an access and id token
The picture above shows what a client could do with an accestoken: The accesstoken can be used to verify it can retrieve information on behalf of the user