<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Asher,<div class=""><br class=""></div><div class="">1) Since you’re using a bearer token in OIDC, you can use the UserInfo Endpoint to determine which use authorized the token. But be careful that you don’t confuse this for the user having authenticated at the protected resource (B), because they haven’t.</div><div class=""><br class=""></div><div class="">2) Token Introspection is its own specification:</div><div class=""><br class=""></div><div class=""><a href="https://tools.ietf.org/html/draft-ietf-oauth-introspection" class="">https://tools.ietf.org/html/draft-ietf-oauth-introspection</a></div><div class=""><br class=""></div><div class="">3) There are several codebases that do token introspection on the client side, including the MITREid client library:</div><div class=""><br class=""></div><div class=""><a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config</a></div><div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 30, 2015, at 9:27 AM, Asher Nave <<a href="mailto:asher.nave@teamaol.com" class="">asher.nave@teamaol.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><p style="box-sizing: border-box; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-top: 0px !important;" class=""><br class=""></p><p style="box-sizing: border-box; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-top: 0px !important;" class="">Hi all,</p><div class="">I’ve started this thread yesterday as an issue on <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/85" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/85</a></div><div class="">I got a response from Justin (see below) stating that this is the right place to post it and I have some followup questions (down below)</div><p style="box-sizing: border-box; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-top: 0px !important;" class="">>>>>></p><p style="box-sizing: border-box; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-top: 0px !important;" class="">Hi there,</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255);" class="">I have a question regarding mitreid connect client implementation and I wasn’t sure where should I post it. Feel free to direct me to the right place.<br style="box-sizing: border-box;" class="">I am implementing a resource server, rest-api-server, that I want to work with open id connect with its clients. The full scenario is that I have:<br style="box-sizing: border-box;" class="">1. a web application (A) which is an openid connect client - implemented based on your sample-web-app.<br style="box-sizing: border-box;" class="">2. Web application B, an existing restful web server that I want to secure and get identity data to it using opened connect<br style="box-sizing: border-box;" class="">3. An openid connect server (openAM implementation by Aol)<br style="box-sizing: border-box;" class="">I need web application A to do a restful call to web application B.I already modified the sample to add the rest call to B.</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255);" class="">All services are spring-java based and it looks like your solution might fit them perfectly.</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255);" class="">My questions are:<br style="box-sizing: border-box;" class="">1. I understand that I need to send the Access Token in the A to B rest request. Is this true or should I use ID token or authorization code instead?<br style="box-sizing: border-box;" class="">2. What should be the configuration of B application in this case? it looks like OIDCAuthenticationFilter does authentication only on URL with a specific suffix (“/openid_connect_login” by default)<br style="box-sizing: border-box;" class="">3. Should there be another way to do authentication in the B application using the access token?<br style="box-sizing: border-box;" class="">4. Do you have a sample for this scenario. It looks to me like the typical SSO scenario and yet I can’t find resources about it.</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255);" class="">I’ll appreciate your answers.<br style="box-sizing: border-box;" class="">Thanks,</p><div style="box-sizing: border-box; margin-top: 0px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-bottom: 0px !important;" class="">Asher Nave</div><div style="box-sizing: border-box; margin-top: 0px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-bottom: 0px !important;" class=""><br class=""></div><div style="box-sizing: border-box; margin-top: 0px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-bottom: 0px !important;" class="">jricher:</div><div style="box-sizing: border-box; margin-top: 0px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-bottom: 0px !important;" class=""><br class=""></div><div style="box-sizing: border-box; margin-top: 0px; color: rgb(51, 51, 51); font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 14px; line-height: 22.3999996185303px; widows: 1; background-color: rgb(255, 255, 255); margin-bottom: 0px !important;" class=""><p style="box-sizing: border-box; margin-bottom: 16px; line-height: 22.3999996185303px; margin-top: 0px !important;" class="">The mailing list (<a href="mailto:mitreid-connect@mit.edu" style="box-sizing: border-box; color: rgb(64, 120, 192); text-decoration: none; background-color: transparent;" class="">mitreid-connect@mit.edu</a>) is probably a better place for this kind of question, but I'll answer your questions here:</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; line-height: 22.3999996185303px;" class="">1) You use the access token. You should never send the ID token outside of your application -- it's intended to be consumed by your application directly. If you were to send the ID token to B, B should reject it anyway because (a) the token didn't come from the AS and (b) the token was audience restricted to A.</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; line-height: 22.3999996185303px;" class="">2) Your application "B" is an OAuth protected resource. This actually has nothing to do with OpenID Connect, since the user will not be present on the call from A to B -- it's A acting on behalf of the user at B. B just needs to know which user is acting, so that's where something like Token Introspection will help, since that will give B a means of calling the AS to find out what the token is good for. I don't know if your server (OpenAM) supports introspection or has another way to get authorization data to a distributed resource server.</p><p style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; line-height: 22.3999996185303px;" class="">3) You're not actually authenticating the user at B, you're getting authorization information related to the token, which includes information of who authorized the token. It's important to realize, though, that the user isn't necessarily still there (authenticated) when A makes the call to B.</p><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">4) It's not really SSO as you're describing it but rather simple OAuth, with the difference being that OpenID Connect is being used to authenticate the user to the client application in addition to OAuth authorizing access to multiple resources (like B) in addition to the identity information. This is all pretty straightforward and relatively common OAuth, but approaching it as an SSO problem might have been leading you in the wrong direction.</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class=""><br class=""></div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class=""><<<<</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class=""><br class=""></div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">So now my questions are regarding the actual implementation that is needed on the B application (the “resource server”)</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">1. If I need identity information as part of the user context in the app and also verify the access token, isn’t the “userInfo” endpoint on the server side exactly what is for.</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">2. How do I do token introspective otherwise? </div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">3. Do you have a sample for this kind of process?</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class=""><br class=""></div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">Thanks,</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class="">Asher Nave</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 22.3999996185303px; margin-bottom: 0px !important;" class=""><br class=""></div></div></div>_______________________________________________<br class="">mitreid-connect mailing list<br class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div></blockquote></div><br class=""></div></body></html>