Identity Client

Estimated reading: 5 minutes 112 views

In Visual Guard, the Identity Client is a component responsible for interacting with the VGIdentity Server to handle user authentication and authorization within applications. It acts as a client-side library or module integrated into the application code to facilitate user authentication, obtain security tokens, and enforce access control policies.

Overall, the Identity Client plays a crucial role in enabling secure and seamless user authentication and access control within Visual Guard-protected applications. It helps enforce authentication and authorization policies, manage user sessions, and provide a smooth user experience while maintaining robust security measures.

Below are the different functionalities that fall under Identity Client configuration

  1. Primary Information: Essential data or key details that are fundamental to understanding the application.
  • Name: A unique identifier or label assigned to the application
  • Platform types: VisualGuard Identity Client configuration supports various platform types for integration with applications, each catering to different use cases and environments. Here’s an explanation of the different platform types:
    • Web Applications (Java, Asp.Net, etc): Software programs or platforms accessed through web browsers, allowing users to interact with services, data, and functionalities over the internet.
    • SPAs (Single Page Application) (Javascript Front end apps, Angular.js, Node.js, etc): Web applications that dynamically update content without reloading the entire page, offering a seamless and responsive user experience similar to desktop applications
    • Native Applications (Mobile/Desktop, Powerbuilder, PowerServer etc): Software programs developed specifically for a particular platform or device, leveraging its native features and capabilities to deliver optimized performance and user experience.
    • Service Applications (Machine to Machine – On behalf of the client, no interactive user is present): Software programs designed to run in the background, providing specific functionalities or performing tasks independently of user interaction, often used to automate processes or manage system resources
  • Description: A brief explanation or summary providing additional context or details about the application
  • Application type: Classification specifying the nature or purpose of a software application such PowerBuilder, PowerBuilder + PowerServer

2. Identity Resources/Scope: The client specifies the scope of the access requested, which defines the resources and operations the client is allowed to access on behalf of the user. The scope is included in the authorization request.

  • VG Activity Date: It requests access for the VGActivityDate information
  • VGApplications: It requests access for the list of accessible applications
  • VGDeveloper: It requests access for the information for api operations for developers (vgPermissionInfo, vgRoleInfo, vgAppInfo)
  • VGIsApproved: It requests access for whether a user is approved user or not
  • VGIsLocked: It requests access for whether a user is locked user or not
  • VGPermissions: It requests access for the list of accessible permissions
  • VGProfile: It requests access for the user profile information (firstname, lastname, email etc.)
  • VGRoles: It requests access for the list of accessible roles
  • VGToken: It requests access for the VGToken

3. Redirect URIs Information – Uniform Resource Identifiers (URIs): The client specifies one or more redirect URIs where the Identity server will redirect the user after authentication. The redirect URI must be registered with the VisualGuard Identity server during client registration to prevent certain types of attacks, such as authorization code interception.

  • Allowed Redirect URIs
  • Post Logout URIs
  • Is Overwrite URI Information when deployed
  • CORS: Refers to Cross-Origin Resource Sharing (CORS), which is a mechanism that allows resources on a web page to be requested from another domain outside the domain from which the resource originated.
    • Allowed cors origin

4. Grant Types: The client specifies the type of authorization grant it will use to obtain access tokens. Common grant types include Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.

  • Client credentials: On behalf of a client, no interactive user is present
  • Implicit: Normally used for JavaScript applications, where all tokens are transmitted via browser, access token is returned immediately without an extra authorization code exchange step and advanced features like refresh tokens are thus not allowed
  • Authorization Code: Provides a way to retrieve tokens on a back-channel as opposed to the browser front-channel
  • ResourceOwner Password: It allows to request tokens on behalf of a user by sending the user’s name and password to the token endpoint. This is so called “non-interactive” authentication and is generally not recommended
  • Hybrid: It is a combination of the implicit and authorization code flow – it uses combinations of multiple grant types, most typically code id_token. In hybrid flow the identity token is transmitted via the browser channel and contains the signed protocol response along with signatures for other artifacts like the authorization code. This mitigates a number of attacks that apply to the browser channel

5. Secret Keys: This is a piece of confidential information, typically a long string of characters, used for cryptographic purposes, such as encrypting and decrypting data, or for authenticating communication between parties.

  • Secret: A confidential string used for cryptographic operations, such as encrypting and decrypting data
  • Description: A brief explanation or summary providing additional context or details about the application
  • Expiry: The date becomes invalid or no longer usable
  • Is override when deployed: Indicating whether a configuration should be replaced with a new value when deployed

Please click on the respective links to create your identity clients