[Openid-specs-ab] OpenID Connect + OAuth to cross domains
Justin Richer
jricher at mitre.org
Fri Sep 7 14:42:16 UTC 2012
We've been working on a system that makes use of both vanilla OAuth2 and
OpenID Connect to bridge between two security domains. One of our
immediate applications for this is in the healthcare space (a doctor's
system requesting a medical record from another doctor's system), but
we're finding that the pattern is very useful across a multitude of
different deployments.
The setup is fairly simple and shouldn't surprise anyone in this group:
somebody wants to authorize a client to access data, so they do the
OAuth dance and get sent to the AS. But in order to log into the AS,
they use a distributed ID protocol like OIDC. What I've found that
confuses people is that the AS, in this case, needs to act like an OIDC
client (and therefore OAuth2 client) in addition to being an OAuth2
server in its own right.
With that in mind, I've put together a PDF that lays out, in annotated
detail, all of the steps that need to occur, and who needs to talk to whom:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/docs/OpenID%20Connect%20%2B%20OAuth2%20--%20annotated.pdf
-- Justin
More information about the Openid-specs-ab
mailing list