[Openid-specs-ab] Using OpenID Connect ID Token for API Security (authentication)
Prabath Siriwardena
prabath at wso2.com
Thu Jun 5 05:56:28 UTC 2014
And the other limitation I found was - in OpenID Connect request client
cannot suggest an audience value for the ID token...possibly this is beyond
OpenID Connect or may be a different profile..?
Thanks & regards,
-Prabath
On Thu, Jun 5, 2014 at 11:13 AM, Prabath Siriwardena <prabath at wso2.com>
wrote:
> I have the following SOAP use case...
>
> 1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer
> Token with the required set of claims..
> 2. I use this as a supporting token to access a SOAP service.
> 3. SOAP service will validate the signature of the SAML token and if it is
> valid - I will be able to access it.
>
> Now I am thinking of implementing the same in the following manner for
> REST APIs.
>
> 1. Using OpenID Connect talk to the token endpoint with client credential
> grant type and get a signed ID token with the required set of claims.
> 2. Set the JWT token in an HTTP header and talk to the secured API.
> 3. API should validate the signature of the JWT and if its valid and if it
> trusts the issuer - should let me in.
>
> But - I find some limitations in spec to implement my REST use case.
>
> 1. OpenID Connect specification does not talk about client credentials
> grant type ? at the same time it does not say its a MUST to use
> authorization code or implicit.
>
> 2. AFAIK there is no HTTP binding to pass a JWT - please let me know if
> there is any?
>
> Appreciate your thoughts on this...
>
>
> Thanks & Regards,
> Prabath
>
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://blog.api-security.org
>
--
Thanks & Regards,
Prabath
Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
Mobile : +94 71 809 6732
http://blog.facilelogin.com
http://blog.api-security.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140605/0dbbc918/attachment.html>
More information about the Openid-specs-ab
mailing list