[Openid-specs-ab] OpenID Connect and Identity Delegation

Matias Woloski matiasw at gmail.com
Wed Mar 27 16:50:42 UTC 2013


Hi everyone,

Our customers have this typical scenario of a web application consuming web
services. In this context, they were using WS-Trust delegation (ActAs) to
delegate the identity of the caller. Is there something equivalent to this
in the OpenID Connect/OAuth world? I would basically like to have an nicer
HTTP alternative to WS-Trust 1.4 ActAs.

Something like:


POST /delegation HTTP/1.1
  Host: server.example.com
  Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
  Content-Type: application/x-www-form-urlencoded

  id_token=.....user_id_token....
    &target=http://service.example.com


HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
  {
   "token_type":"Bearer",
   "expires_in":3600,
   "id_token":"... id_token_scoped_to_target ... "
  }

The resulting id_token would look like this.

  {
   "aud": "http://service.example.com",
   "iss": "http://server.example.com"
   "act_as": "...client_id of the caller...",
   "sub": "...original caller subject name... "
   "...": ... more claims from the subject (transformed/mapped) ...

Thanks,
Matias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130327/12c7ed1e/attachment.html>


More information about the Openid-specs-ab mailing list