[Openid-specs-ab] OpenID Connect and Identity Delegation
Matias Woloski
matiasw at gmail.com
Wed Mar 27 16:50:42 UTC 2013
Hi everyone,
Our customers have this typical scenario of a web application consuming web
services. In this context, they were using WS-Trust delegation (ActAs) to
delegate the identity of the caller. Is there something equivalent to this
in the OpenID Connect/OAuth world? I would basically like to have an nicer
HTTP alternative to WS-Trust 1.4 ActAs.
Something like:
POST /delegation HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
id_token=.....user_id_token....
&target=http://service.example.com
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"token_type":"Bearer",
"expires_in":3600,
"id_token":"... id_token_scoped_to_target ... "
}
The resulting id_token would look like this.
{
"aud": "http://service.example.com",
"iss": "http://server.example.com"
"act_as": "...client_id of the caller...",
"sub": "...original caller subject name... "
"...": ... more claims from the subject (transformed/mapped) ...
Thanks,
Matias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130327/12c7ed1e/attachment.html>
More information about the Openid-specs-ab
mailing list