[mitreid-connect] Creation of the ID token using the user name only.

Michael Furman michael_furman at hotmail.com
Thu Sep 1 11:28:14 EDT 2016 

Hi Justin,
Thank you!

> Sounds like you're doing a back end access on behalf of a user without involving the user.
Probably it is correct.
I will describe the use case.
You have in your deployment 2 applications (that both you created).
Both applications are authenticated against LDAP (therefore you do not have the access to the password).
Also the user "bob" in application one is the same user "bob" in the second application.
And now you need to execute REST API from the backend of the first application to the second application.
Why it is a dangerous pattern?


I want to integrate both applications with RP and to authenticate against the same IDP.

Then I want to be able to access from one application to the second one on behalf of the user without the providing of the password.
How it is possible?
Best regards,
   Michael



________________________________
From: Justin Richer <jricher at mit.edu>
Sent: Thursday, September 1, 2016 5:15 PM
To: Michael Furman; mitreid-connect at mit.edu
Subject: RE: [mitreid-connect] Creation of the ID token using the user name only.

No, this is not an ID token anymore. Why dio you need a token like that anyway?

Sounds like you're doing a back end access on behalf of a user without involving the user. This is usually a dangerous pattern, and most of the time the normal authorization code flow is preferred.



--Justin

 Sent from my phone

-------- Original message --------
From: Michael Furman <michael_furman at hotmail.com>
Date: 9/1/16 4:57 PM (GMT+02:00)
To: mitreid-connect at mit.edu
Subject: [mitreid-connect] Creation of the ID token using the user name only.

Hi all,
Is it possible to create the ID token using the user name only?
I need to access from one application to another using the REST API while I have in my hand only the user name.

Both applications trust each other and therefore I do not need to authenticate a user.
(In addition I can not authenticate a user since I do not have a user password).
How is possible to do it using mitreid-connect?
Thank you in advance for your help.
Best regards,
   Michael

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160901/cce734b9/attachment.html

More information about the mitreid-connect mailing list