[Openid-specs-ab] OpenID Connect + OAuth to cross domains

Justin Richer jricher at mitre.org
Fri Sep 7 14:42:16 UTC 2012

We've been working on a system that makes use of both vanilla OAuth2 and 
OpenID Connect to bridge between two security domains. One of our 
immediate applications for this is in the healthcare space (a doctor's 
system requesting a medical record from another doctor's system), but 
we're finding that the pattern is very useful across a multitude of 
different deployments.

The setup is fairly simple and shouldn't surprise anyone in this group: 
somebody wants to authorize a client to access data, so they do the 
OAuth dance and get sent to the AS. But in order to log into the AS, 
they use a distributed ID protocol like OIDC. What I've found that 
confuses people is that the AS, in this case, needs to act like an OIDC 
client (and therefore OAuth2 client) in addition to being an OAuth2 
server in its own right.

With that in mind, I've put together a PDF that lays out, in annotated 
detail, all of the steps that need to occur, and who needs to talk to whom:


  -- Justin

More information about the Openid-specs-ab mailing list