[mitreid-connect] SSO implementation questions

Justin Richer jricher at mit.edu
Tue Jun 30 18:33:10 EDT 2015 

Hi Asher,

1) Since you’re using a bearer token in OIDC, you can use the UserInfo Endpoint to determine which use authorized the token. But be careful that you don’t confuse this for the user having authenticated at the protected resource (B), because they haven’t.

2) Token Introspection is its own specification:

https://tools.ietf.org/html/draft-ietf-oauth-introspection

3) There are several codebases that do token introspection on the client side, including the MITREid client library:

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config>

 — Justin

> On Jun 30, 2015, at 9:27 AM, Asher Nave <asher.nave at teamaol.com> wrote:
> 
> 
> 
> Hi all,
> 
> I’ve started this thread yesterday as an issue on https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/85 <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/85>
> I got a response from Justin (see below) stating that this is the right place to post it and I have some followup questions (down below)
> >>>>>
> 
> Hi there,
> 
> I have a question regarding mitreid connect client implementation and I wasn’t sure where should I post it. Feel free to direct me to the right place.
> I am implementing a resource server, rest-api-server, that I want to work with open id connect with its clients. The full scenario is that I have:
> 1. a web application (A) which is an openid connect client - implemented based on your sample-web-app.
> 2. Web application B, an existing restful web server that I want to secure and get identity data to it using opened connect
> 3. An openid connect server (openAM implementation by Aol)
> I need web application A to do a restful call to web application B.I already modified the sample to add the rest call to B.
> 
> All services are spring-java based and it looks like your solution might fit them perfectly.
> 
> My questions are:
> 1. I understand that I need to send the Access Token in the A to B rest request. Is this true or should I use ID token or authorization code instead?
> 2. What should be the configuration of B application in this case? it looks like OIDCAuthenticationFilter does authentication only on URL with a specific suffix (“/openid_connect_login” by default)
> 3. Should there be another way to do authentication in the B application using the access token?
> 4. Do you have a sample for this scenario. It looks to me like the typical SSO scenario and yet I can’t find resources about it.
> 
> I’ll appreciate your answers.
> Thanks,
> 
> Asher Nave
> 
> jricher:
> 
> The mailing list (mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>) is probably a better place for this kind of question, but I'll answer your questions here:
> 
> 1) You use the access token. You should never send the ID token outside of your application -- it's intended to be consumed by your application directly. If you were to send the ID token to B, B should reject it anyway because (a) the token didn't come from the AS and (b) the token was audience restricted to A.
> 
> 2) Your application "B" is an OAuth protected resource. This actually has nothing to do with OpenID Connect, since the user will not be present on the call from A to B -- it's A acting on behalf of the user at B. B just needs to know which user is acting, so that's where something like Token Introspection will help, since that will give B a means of calling the AS to find out what the token is good for. I don't know if your server (OpenAM) supports introspection or has another way to get authorization data to a distributed resource server.
> 
> 3) You're not actually authenticating the user at B, you're getting authorization information related to the token, which includes information of who authorized the token. It's important to realize, though, that the user isn't necessarily still there (authenticated) when A makes the call to B.
> 
> 4) It's not really SSO as you're describing it but rather simple OAuth, with the difference being that OpenID Connect is being used to authenticate the user to the client application in addition to OAuth authorizing access to multiple resources (like B) in addition to the identity information. This is all pretty straightforward and relatively common OAuth, but approaching it as an SSO problem might have been leading you in the wrong direction.
> 
> <<<<
> 
> So now my questions are regarding the actual implementation that is needed on the B application (the “resource server”)
> 1. If I need identity information as part of the user context in the app and also verify the access token, isn’t the “userInfo” endpoint on the server side exactly what is for.
> 2. How do I do token introspective otherwise?
> 3. Do you have a sample for this kind of process?
> 
> Thanks,
> Asher Nave
> 
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150630/c2bb68ff/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150630/c2bb68ff/attachment.bin

More information about the mitreid-connect mailing list