[Openid-specs-ab] OpenID Connect and Identity Delegation

Nat Sakimura sakimura at gmail.com
Thu Mar 28 16:24:15 UTC 2013


azp?

2013/3/28 Matias Woloski <matiasw at gmail.com>

> Hi everyone,
>
> Our customers have this typical scenario of a web application consuming
> web services. In this context, they were using WS-Trust delegation (ActAs)
> to delegate the identity of the caller. Is there something equivalent to
> this in the OpenID Connect/OAuth world? I would basically like to have an
> nicer HTTP alternative to WS-Trust 1.4 ActAs.
>
> Something like:
>
> POST /delegation HTTP/1.1
>   Host: server.example.com
>   Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>   Content-Type: application/x-www-form-urlencoded
>
>   id_token=.....user_id_token....
>     &target=http://service.example.com
>
> HTTP/1.1 200 OK
>   Content-Type: application/json
>   Cache-Control: no-store
>   Pragma: no-cache
>   {
>    "token_type":"Bearer",
>    "expires_in":3600,
>    "id_token":"... id_token_scoped_to_target ... "
>   }
>
> The resulting id_token would look like this.
>
>   {
>    "aud": "http://service.example.com",
>    "iss": "http://server.example.com"
>    "act_as": "...client_id of the caller...",
>    "sub": "...original caller subject name... "
>    "...": ... more claims from the subject (transformed/mapped) ...
>
> Thanks,
> Matias
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130329/aa2bc8e1/attachment.html>


More information about the Openid-specs-ab mailing list