[Openid-specs-ab] OpenID Connect and Identity Delegation
Nat Sakimura
sakimura at gmail.com
Thu Mar 28 16:24:15 UTC 2013
azp?
2013/3/28 Matias Woloski <matiasw at gmail.com>
> Hi everyone,
>
> Our customers have this typical scenario of a web application consuming
> web services. In this context, they were using WS-Trust delegation (ActAs)
> to delegate the identity of the caller. Is there something equivalent to
> this in the OpenID Connect/OAuth world? I would basically like to have an
> nicer HTTP alternative to WS-Trust 1.4 ActAs.
>
> Something like:
>
> POST /delegation HTTP/1.1
> Host: server.example.com
> Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
> Content-Type: application/x-www-form-urlencoded
>
> id_token=.....user_id_token....
> &target=http://service.example.com
>
> HTTP/1.1 200 OK
> Content-Type: application/json
> Cache-Control: no-store
> Pragma: no-cache
> {
> "token_type":"Bearer",
> "expires_in":3600,
> "id_token":"... id_token_scoped_to_target ... "
> }
>
> The resulting id_token would look like this.
>
> {
> "aud": "http://service.example.com",
> "iss": "http://server.example.com"
> "act_as": "...client_id of the caller...",
> "sub": "...original caller subject name... "
> "...": ... more claims from the subject (transformed/mapped) ...
>
> Thanks,
> Matias
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130329/aa2bc8e1/attachment.html>
More information about the Openid-specs-ab
mailing list