[OpenID] OIDC federation using ID Tokens as OAuth2 grants

Peter Williams home_pw at msn.com
Wed Apr 22 16:34:58 UTC 2015 

http://www.cloudidentity.com/blog/2015/02/06/requesting-an-aad-token-with-a-certificate-without-adal/

Someone posted google related info. Here is some that doesn't require one to use vendor specific libraries.

Sign a jwt you construct, and attach a cert to help the std verify the signature. Present the signed blob as a bearer, seeking ti have the std swap it for azure signed blob. Azure will then send suitable logging information (to NSA as part of fedramp) to a cybersecututy scanning firm looking for pattern based signatures.

The last part is not well known. I've no doubt google has the same "added value", as does yahoo and salesforce. It's all voluntary, note.

Sent from my Windows Phone
________________________________
From: Cal Heldenbrand<mailto:cal at fbsdata.com>
Sent: ‎4/‎15/‎2015 12:11 PM
To: openid-general at lists.openid.net<mailto:openid-general at lists.openid.net>
Subject: [OpenID] OIDC federation using ID Tokens as OAuth2 grants

Hi everyone,

I've been doing a lot of reading on OpenID Connect, and there's one area
that I'm a little confused on -- federated identities.  My curiosity was
piqued from Page 225 of the book Advanced API Security
<https://books.google.com/books?id=_-BPBAAAQBAJ&pg=PA225&lpg=PA225#v=onepage&q&f=false>.
In particular, this quote:

*...you need to find a way to exchange the ID token received in OpenID
Connect authentication for an OAuth access token, which is defined in the
JWT grant types for the OAuth 2.0 specification.  Once the web application
receives the ID token ... it has to exchange it for an access token by
talking to the OAuth authorization server.  The authorization server must
trust the OpenID Connect identity provider.*

I realize this is a grey area between OIDC and OAuth2... but are there any
spec documents that outline this trust relationship, and how it applies to
ID Tokens in particular?  (Also, are there any known implementations out
there that actually use this?)

I've read through the draft-ietf-oauth-jwt-bearer
<https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12>document, and
it seems very close to what I was looking for.  But the JWT format is a
little different from an ID Token, and the audience is not in the format of
a typical client_id.  And, I was assuming Authorized Party (azp) would
somehow fit into this flow.

Any extra info on this would be very helpful!

Thank you,

--Cal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150422/4399c64c/attachment.html>
-------------- next part --------------
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list