[Openid-specs-ab] Using OpenID Connect ID Token for API Security (authentication)

Prabath Siriwardena prabath at wso2.com
Thu Jun 5 05:43:00 UTC 2014


I have the following SOAP use case...

1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer Token
with the required set of claims..
2. I use this as a supporting token to access a SOAP service.
3. SOAP service will validate the signature of the SAML token and if it is
valid - I will be able to access it.

Now I am thinking of implementing the same in the following manner for REST
APIs.

1. Using OpenID Connect talk to the token endpoint with client credential
grant type and get a signed ID token with the required set of claims.
2. Set the JWT token in an HTTP header and talk to the secured API.
3. API should validate the signature of the JWT and if its valid and if it
trusts the issuer - should let me in.

But - I find some limitations in spec to implement my REST use case.

1. OpenID Connect specification does not talk about client credentials
grant type ? at the same time it does not say its a MUST to use
authorization code or implicit.

2. AFAIK there is no HTTP binding to pass a JWT - please let me know if
there is any?

Appreciate your thoughts on this...


Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140605/d0f15a77/attachment.html>


More information about the Openid-specs-ab mailing list