[mitreid-connect] Authenticating the Consumer for the authorisation?

Justin Richer jricher at mit.edu
Tue Feb 24 08:59:17 EST 2015 

At the Authorization endpoint, there’s nothing in core OAuth that will authenticate the client. The authentication comes on the back end when the token is issued in response to the auth code (in the auth code flow at least). So the easy solution is to have the part that costs money come into play in the back end, when the token is created and the client is authenticated, if you can manage that. If not, you do have some other options.

With OpenID Connect, you do have a mechanism for authenticating the authorization request: the request object. Assuming your server supports request objects, and your client can generate and sign them, which the server and client of MITREid Connect both do. You need to register your public key with the server and use your private key to sign the request object, or use your client secret to symmetrically sign the request object. Either way you likely need to register your client’s request object signing algorithm with the server. You can configure the MITREid Connect client to send signed request objects by using the SignedAuthorizationRequest component, detailed here:

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration#signed-authorization-request

  — Justin

> On Feb 24, 2015, at 6:09 AM, Lachezar Dobrev <l.dobrev at paladin.bulgarpress.com> wrote:
> 
>  Hey all.
> 
>  I am developing an OpenID-Connect provider.
>  After some serious head-banging I've succeeded in making a provider
> that the MitreID-Connect simple-web-app can authenticate/authorise via.
> 
>  Now the problem I'm facing is authenticating the authorisation
> requests. The implementation has an authorisation procedure that costs
> money. However the authorisation request only contains a client_id that
> can be (relatively) easily duplicated and used to perform authorisation
> requests on behalf of a real client.
>  If I understand correctly the authentication/authorisation process
> begins with the Client forwarding the User for the Provider, hence no
> Headers can be sent with the Authorisation request.
>  What options do I have to authenticate the Client?
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

More information about the mitreid-connect mailing list