[Openid-specs-ab] OpenID Connect + OAuth to cross domains

Nat Sakimura sakimura at gmail.com
Mon Sep 10 07:54:49 UTC 2012

Thanks Justin. This is very useful.

One of the shortcoming of the OAuth 2.0 is that it does not define
authentication endpoint explicitly. In OAuth, client goes to
authorization endpoint, and if he is not authenticated at the time, he
is redirected in a proprietary protocol to the authentication
endpoint. Then, the user provides credentials to get authenticated,
and returned to another endpoint, likely to be the authorization
endpoint, through yet another proprietary protocol, to authorize the
resource access.

My interpretation of what you have done here is to use OpenID Connect
instead of the proprietary protocol above.

By delegating the authorization to the OIDC server would optimize the
authorization, especially when there are multiple resources from
different domains are involved. That's what UMA is trying to solve, I


On Fri, Sep 7, 2012 at 11:42 PM, Justin Richer <jricher at mitre.org> wrote:
> We've been working on a system that makes use of both vanilla OAuth2 and
> OpenID Connect to bridge between two security domains. One of our immediate
> applications for this is in the healthcare space (a doctor's system
> requesting a medical record from another doctor's system), but we're finding
> that the pattern is very useful across a multitude of different deployments.
> The setup is fairly simple and shouldn't surprise anyone in this group:
> somebody wants to authorize a client to access data, so they do the OAuth
> dance and get sent to the AS. But in order to log into the AS, they use a
> distributed ID protocol like OIDC. What I've found that confuses people is
> that the AS, in this case, needs to act like an OIDC client (and therefore
> OAuth2 client) in addition to being an OAuth2 server in its own right.
> With that in mind, I've put together a PDF that lays out, in annotated
> detail, all of the steps that need to occur, and who needs to talk to whom:
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/docs/OpenID%20Connect%20%2B%20OAuth2%20--%20annotated.pdf
>  -- Justin
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list