[Openid-specs-ab] Using OpenID Connect ID Token for API Security (authentication)

Mike Jones Michael.Jones at microsoft.com
Sun Jun 15 23:09:39 UTC 2014


You’re correct that there’s no defined way to suggest an (additional) audience for the ID Token.  (The Relying Party will always need to be one of the audiences.)

If what you’re after is the act-is or on-behalf-of functionality in WS-Trust, you could have a look at http://tools.ietf.org/html/draft-jones-oauth-token-exchange-00 as a starting point.  I say that with the caveat that I would expect that there will be changes in any final version of the spec, should there be one.

                                                            -- Mike

From: Prabath Siriwardena [mailto:prabath at wso2.com]
Sent: Wednesday, June 04, 2014 10:56 PM
To: openid-specs-ab at lists.openid.net; Mike Jones
Subject: Re: Using OpenID Connect ID Token for API Security (authentication)

And the other limitation I found was - in OpenID Connect request client cannot suggest an audience value for the ID token...possibly this is beyond OpenID Connect or may be a different profile..?

Thanks & regards,
-Prabath

On Thu, Jun 5, 2014 at 11:13 AM, Prabath Siriwardena <prabath at wso2.com<mailto:prabath at wso2.com>> wrote:
I have the following SOAP use case...

1. Using WS-Trust - I authenticate to the STS - and get a SAML Bearer Token with the required set of claims..
2. I use this as a supporting token to access a SOAP service.
3. SOAP service will validate the signature of the SAML token and if it is valid - I will be able to access it.

Now I am thinking of implementing the same in the following manner for REST APIs.

1. Using OpenID Connect talk to the token endpoint with client credential grant type and get a signed ID token with the required set of claims.
2. Set the JWT token in an HTTP header and talk to the secured API.
3. API should validate the signature of the JWT and if its valid and if it trusts the issuer - should let me in.

But - I find some limitations in spec to implement my REST use case.

1. OpenID Connect specification does not talk about client credentials grant type ? at the same time it does not say its a MUST to use authorization code or implicit.

2. AFAIK there is no HTTP binding to pass a JWT - please let me know if there is any?

Appreciate your thoughts on this...


Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732<tel:%2B94%2071%20809%206732>

http://blog.facilelogin.com
http://blog.api-security.org



--
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://blog.api-security.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140615/bd593f44/attachment.html>


More information about the Openid-specs-ab mailing list