for all clients using the authz code flow ‣ Redirect URIs must be compared using exact string matching ‣ The Implicit grant is omitted from this specification ‣ The Resource Owner Password Credentials grant is omitted from this specification
‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation, 2014
2. Can user view record #123? 3. Evaluate Policies PAP Manage Policies PIP 4. Retrieve additional attributes 5. Permit, user can view record #123 AuthZ: PAP / PDP / PEP / PIP