<div dir="ltr"><div style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">Hi everyone,</div><div style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">
Our customers have this typical scenario of a web application consuming web services. In this context, they were using WS-Trust delegation (ActAs) to delegate the identity of the caller. Is there something equivalent to this in the OpenID Connect/OAuth world? I would basically like to have an nicer HTTP alternative to WS-Trust 1.4 ActAs.</div>
<div style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px"><br></div><div style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:13px">Something like:</div><div><pre style="color:rgb(0,0,0);font-size:13px;font-family:'Courier New',Courier,monospace;white-space:pre-wrap;background-color:rgb(204,204,204);padding:4px">
POST /delegation HTTP/1.1
Host: <a href="http://server.example.com/" target="_blank">server.example.com</a>
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
id_token=.....user_id_token....
&target=<a href="http://service.example.com/" target="_blank">http://service.example.com</a></pre><pre style="padding:4px"><pre style="color:rgb(0,0,0);font-size:13px;white-space:pre-wrap;font-family:'Courier New',Courier,monospace;background-color:rgb(204,204,204);padding:4px">
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"token_type":"Bearer",
"expires_in":3600,
"id_token":"... id_token_scoped_to_target ... "
}</pre><pre style="color:rgb(0,0,0);font-size:13px;white-space:pre-wrap;padding:4px"><span style="background-color:rgb(255,255,255)"><font face="arial, helvetica, sans-serif">The resulting id_token would look like this.</font></span></pre>
<pre style="padding:4px"><pre style="color:rgb(0,0,0);font-size:13px;white-space:pre-wrap;font-family:'Courier New',Courier,monospace;background-color:rgb(204,204,204);padding:4px"> {
"aud": "<a href="http://service.example.com">http://service.example.com</a>",
"iss": "<a href="http://server.example.com">http://server.example.com</a>"
"act_as": "...client_id of the caller...",
"sub": "...original caller subject name... "
"...": ... more claims from the subject (transformed/mapped) ...</pre><font face="arial, helvetica, sans-serif">Thanks,<br>Matias</font></pre></pre></div></div>