[mitreid-connect] Regd OpenIdConnect Protected Resource

Justin Richer jricher at mit.edu
Wed Jul 15 16:44:00 EDT 2015 

Hi Ananth,

A few things here. First, your Angular app should be able to use the implicit flow since it’s entirely in-browser, but you won’t be able to use the MITREid Connect client code. You’ll need a Javascript-based OpenID Connect client for that, and it’s going to have its own configuration. You don’t necessarily need all of the configuration components that are found in the MITREid Connect client for your use case; the MITREid Connect client is meant to be a general-purpose library that’s applicable to a wide variety of situations, and your use case is likely smaller than that. 

Note that the implicit flow is really only meant for session-sharing between applications and isn’t a good fit for apps that have any kind of backend. For systems that do have a backend component, the code flow is highly preferred.

To access the REST service, you’ll want to use the Access Token and not the ID token. You should never send your ID token outside of your client application. At this point you’re not logging in to the REST service, but you’re accessing it on behalf of the logged in user. 

When doing introspection, the response is only going to tell you which scopes are attached to the token that’s being introspected. So in this case, if the access token only has the “openid” scope then the introspection response is going to tell you that it only has the “openid” scope. You won’t be able to “up scope” the token at the resource to be able to use it for user information, at least not without hacking the server. This is designed this way for security reasons. Introspection *will* give you a user identifier for the user that authorized the token, but it won’t (by default) give you extra bits of user information that you might be expecting, like what you get from the UserInfo Endpoint in OpenID Connect. You can extend MITREid Connect’s introspection response to include custom information, and I know of a few people who have done exactly that.

Hope this helps,
 — Justin

> On Jul 15, 2015, at 2:13 PM, Ananth Ramchandran <ramchandran.ananth at gmail.com> wrote:
> 
> Hello Justin,
>             
>                      First of all Thank you for implementing an easy to understand application of the Open Id Connect protocol. I have implemented the Open Id Connect Server using the maven overlay method and have configured an angularjs client app to generate access tokens. I have configured the angularjs app with spring so as to support the authorization code grant type. (I was not able to figure out how to consume the MitreId openIdConnect) for implicit flow for a purely angularjs app).
> 
>  Currently I have three applications,Auth application ( Maven overlay of MitreId Connect), Spring backed Angularjs application, Resource application(Rest based application).
> 
> 1) My scenario is to set just open id scope to the angularjs app and generate the token.Pass to the Resource application which has all the scopes to retrieve user information. Forgive me if I completely misunderstood the Oauth2 protocol but my understanding was since the Resource has all scopes, when the introspection occurs it would recover all user related information. Is this the wrong thought process  and if so do I have to have the spring backed angularjs app have all the scopes.
> 
> 2) Question 1 led me to this question. Having a spring backed angularjs app requires me to manage 3 wars which I want to eliminate.  The issue is the configuration required to register the client application as a client( static client,dynamic and hybrid) , server configurations ,  keystores for encryption. I could do this with Java class but I am completely lost as to how to achieve this in angularjs. Any advice as to how to go about doing this would be greatly appreciated.I found this handy directive (http://andreareginato.github.io/oauth-ng/#introduction <http://andreareginato.github.io/oauth-ng/#introduction>) which can be used but I couldn't figure out how to incorporate it the heavy configuration needed for the client.
> 
> 
> Thanks and Regards,
> Ananth Ramchandran
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150715/8bc5b5bf/attachment.htm

More information about the mitreid-connect mailing list