<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Caleb Baker sent me the following request about how to support native apps with helper Web services. What guidance can we give him and others wanting to implement this scenario? I know that at least Google uses the “azp” claim in ID Tokens
as part of supporting this. How exactly is it used in this scenario? How does the OP know when to include an “azp” claim and what value to use?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I’m looking for guidance on the use of OpenID Connect by mobile applications that are backed by a Web API. As an example, take a game app that stores the user’s profile, including game state on a back end web
service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">1. The user starts the game app on a new device.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2. In a web view hosted by the app, they authenticate at their OP and grant permission for the app accessing their profile.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">3. The response is returned to the app
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">4. The app accesses the backing Web API to get the user profile info<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">5. The service backing the Web API is granted access to call the UserInfo endpoint and get additional information about the user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">6. The app makes additional calls to the Web API to save and retrieve game state each time the app opens and closes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’ve considered using the hybrid flow, with ‘response_ type=code id_token’. Then pass the authorization code to the Web API, so it can access the UserInfo endpoint.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Using that flow I’m not sure how Web API authorized the app to access the user profile in step 4 and step 6.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Is there a recommended approach for accomplishing this scenario with OpenID Connect?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>