[OpenID] OIDC federation using ID Tokens as OAuth2 grants

Cal Heldenbrand cal at fbsdata.com
Thu Apr 16 19:03:16 UTC 2015 

Thank you for the info John!


On Wed, Apr 15, 2015 at 3:14 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Google is the main user of this at the moment.
> https://developers.google.com/identity/protocols/CrossClientAuth
>
> They are using structured scopes to indicate the required audience.  It is
> something we allowed for in Connect  by adding the “azp” claim, but have
> not standardized yet.
>
> There is work ongoing in the NAPPS WG looking at how enterprise AS can
> authorize SaaS applications to access 3rd party backend servers.
>
> The book you point to leaves out how the audience would be correct.
> Taking a id_token with an audience of “A"  and passing it on to "B" is not
> a good practice.
>
> I know SalesForce supports the SAML and JWT assertion flows.
>
> https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_jwt_flow.htm
>
> John B.
>
> On Apr 15, 2015, at 4:11 PM, Cal Heldenbrand <cal at fbsdata.com> wrote:
>
> Hi everyone,
>
> I've been doing a lot of reading on OpenID Connect, and there's one area
> that I'm a little confused on -- federated identities.  My curiosity was
> piqued from Page 225 of the book Advanced API Security
> <https://books.google.com/books?id=_-BPBAAAQBAJ&pg=PA225&lpg=PA225#v=onepage&q&f=false>.
> In particular, this quote:
>
> *...you need to find a way to exchange the ID token received in OpenID
> Connect authentication for an OAuth access token, which is defined in the
> JWT grant types for the OAuth 2.0 specification.  Once the web application
> receives the ID token ... it has to exchange it for an access token by
> talking to the OAuth authorization server.  The authorization server must
> trust the OpenID Connect identity provider.*
>
> I realize this is a grey area between OIDC and OAuth2... but are there any
> spec documents that outline this trust relationship, and how it applies to
> ID Tokens in particular?  (Also, are there any known implementations out
> there that actually use this?)
>
> I've read through the draft-ietf-oauth-jwt-bearer
> <https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12>document, and
> it seems very close to what I was looking for.  But the JWT format is a
> little different from an ID Token, and the audience is not in the format of
> a typical client_id.  And, I was assuming Authorized Party (azp) would
> somehow fit into this flow.
>
> Any extra info on this would be very helpful!
>
> Thank you,
>
> --Cal
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150416/d463915b/attachment.html>

More information about the general mailing list