[Openid-specs-ab] Guidance on native apps with helper Web services

Mike Jones Michael.Jones at microsoft.com
Fri Sep 12 15:28:07 UTC 2014

Hi all,

Caleb Baker sent me the following request about how to support native apps with helper Web services.  What guidance can we give him and others wanting to implement this scenario?  I know that at least Google uses the "azp" claim in ID Tokens as part of supporting this.  How exactly is it used in this scenario?  How does the OP know when to include an "azp" claim and what value to use?

I'm looking for guidance on the use of OpenID Connect by mobile applications that are backed by a Web API.  As an example, take a game app that stores the user's profile, including game state on a back end web service.

1.            The user starts the game app on a new device.
2.            In a web view hosted by the app, they authenticate at their OP and grant permission for the app accessing their profile.
3.            The response is returned to the app
4.            The app accesses the backing Web API to get the user profile info
5.            The service backing the Web API is granted access to call the UserInfo endpoint and get additional information about the user
6.            The app makes additional calls to the Web API to save and retrieve game state each time the app opens and closes.

I've considered using the hybrid flow, with 'response_ type=code id_token'. Then pass the authorization code to the Web API, so it can access the UserInfo endpoint.
Using that flow I'm not sure how Web API authorized the app to access the user profile in step 4 and step 6.

Is there a recommended approach for accomplishing this scenario with OpenID Connect?

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140912/708aca44/attachment.html>

More information about the Openid-specs-ab mailing list