[Openid-specs-ab] OpenID Connect and Identity Delegation

Matias Woloski matiasw at gmail.com
Thu Mar 28 17:55:04 UTC 2013


I haven't heard of azp before (was focusing just on the basic and implicit
profile).

Just read the spec and from what I understand "azp" would be in my example
the "aud" of the id_token generated by the delegation endpoint. But I'm not
sure. The definition of "Authorized Presenter" is kind of ambiguous to
me. Is it the party that "presents" the token, the caller?  Sorry if I'm
missing something obvious.

   - What is the difference between having multiple audiences vs using azp?
   - In the scenario I describe there is claims
   transformation/mapping/augmentation, so it's not enough with just adding
   the "azp" to the original id_token, which takes me to the next point
   - Maybe this is subject to a different spec. But as an implementer, what
   I would like to see is the protocol flow for the delegation scenario (kind
   of like what I wrote in the email). The "azp" claim sounds like a small
   part of that.

Thanks!
Matias


On Thu, Mar 28, 2013 at 1:24 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> azp?
>
> 2013/3/28 Matias Woloski <matiasw at gmail.com>
>
>> Hi everyone,
>>
>> Our customers have this typical scenario of a web application consuming
>> web services. In this context, they were using WS-Trust delegation (ActAs)
>> to delegate the identity of the caller. Is there something equivalent to
>> this in the OpenID Connect/OAuth world? I would basically like to have an
>> nicer HTTP alternative to WS-Trust 1.4 ActAs.
>>
>> Something like:
>>
>>
>> POST /delegation HTTP/1.1
>>   Host: server.example.com
>>   Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>>   Content-Type: application/x-www-form-urlencoded
>>
>>   id_token=.....user_id_token....
>>     &target=http://service.example.com
>>
>>
>> HTTP/1.1 200 OK
>>   Content-Type: application/json
>>   Cache-Control: no-store
>>   Pragma: no-cache
>>   {
>>    "token_type":"Bearer",
>>    "expires_in":3600,
>>    "id_token":"... id_token_scoped_to_target ... "
>>   }
>>
>> The resulting id_token would look like this.
>>
>>   {
>>    "aud": "http://service.example.com",
>>    "iss": "http://server.example.com"
>>    "act_as": "...client_id of the caller...",
>>    "sub": "...original caller subject name... "
>>    "...": ... more claims from the subject (transformed/mapped) ...
>>
>> Thanks,
>> Matias
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130328/315e97ff/attachment.html>


More information about the Openid-specs-ab mailing list