[Openid-specs-ab] Using OpenID Connect ID Token for API Security (authentication)

John Bradley ve7jtb at ve7jtb.com
Thu Jun 5 12:38:33 UTC 2014


Some of this is being discussed in the Native apps WG. 

If the client is a server then I think you want OAuth using a JWT access token.  Connect may be useful but this sounds like plain OAuth. 

The OAuth proof of possession drafts have a  resource parameter.  

Sent from my iPhone

> On Jun 5, 2014, at 1:43 AM, Prabath Siriwardena <prabath at wso2.com> wrote:
> 
> I have the following SOAP use case...
> 
> 1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer Token with the required set of claims..
> 2. I use this as a supporting token to access a SOAP service.
> 3. SOAP service will validate the signature of the SAML token and if it is valid - I will be able to access it.
> 
> Now I am thinking of implementing the same in the following manner for REST APIs.
> 
> 1. Using OpenID Connect talk to the token endpoint with client credential grant type and get a signed ID token with the required set of claims.
> 2. Set the JWT token in an HTTP header and talk to the secured API.
> 3. API should validate the signature of the JWT and if its valid and if it trusts the issuer - should let me in.
> 
> But - I find some limitations in spec to implement my REST use case.
> 
> 1. OpenID Connect specification does not talk about client credentials grant type ? at the same time it does not say its a MUST to use authorization code or implicit.
> 
> 2. AFAIK there is no HTTP binding to pass a JWT - please let me know if there is any?
> 
> Appreciate your thoughts on this...
> 
> 
> Thanks & Regards,
> Prabath
> 
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> 
> Mobile : +94 71 809 6732
> 
> http://blog.facilelogin.com
> http://blog.api-security.org
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140605/cee092b3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2734 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140605/cee092b3/attachment.p7s>


More information about the Openid-specs-ab mailing list