[Openid-specs-ab] OpenID Connect and Identity Delegation

Matias Woloski matiasw at gmail.com
Wed Mar 27 16:50:42 UTC 2013

Hi everyone,

Our customers have this typical scenario of a web application consuming web
services. In this context, they were using WS-Trust delegation (ActAs) to
delegate the identity of the caller. Is there something equivalent to this
in the OpenID Connect/OAuth world? I would basically like to have an nicer
HTTP alternative to WS-Trust 1.4 ActAs.

Something like:

POST /delegation HTTP/1.1
  Host: server.example.com
  Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
  Content-Type: application/x-www-form-urlencoded


HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
   "id_token":"... id_token_scoped_to_target ... "

The resulting id_token would look like this.

   "aud": "http://service.example.com",
   "iss": "http://server.example.com"
   "act_as": "...client_id of the caller...",
   "sub": "...original caller subject name... "
   "...": ... more claims from the subject (transformed/mapped) ...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130327/12c7ed1e/attachment.html>

More information about the Openid-specs-ab mailing list