<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p></p>
<div>
<p class="MsoNormal">Hi Justin,<br>
Thank you!</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">> Sounds like you're doing a back end access on behalf of a user without involving the user.</p>
<p class="MsoNormal">Probably it is correct.</p>
<p class="MsoNormal">I will describe the use case.</p>
<p class="MsoNormal">You have in your deployment 2 applications (that both you created).</p>
<p class="MsoNormal">Both applications are authenticated against LDAP (therefore you do not have the access to the password).</p>
<p class="MsoNormal">Also the user “bob” in application one is the same user “bob” in the second application.</p>
<p class="MsoNormal">And now you need to execute REST API from the backend of the first application to the second application.</p>
<p class="MsoNormal">Why it is a dangerous pattern?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I want to integrate both applications with RP and to authenticate against the same IDP.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Then I want to be able to access from one application to the second one on behalf of the user without the providing of the password.</p>
<p class="MsoNormal">How it is possible?</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>Michael</p>
</div>
<br>
<p></p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Thursday, September 1, 2016 5:15 PM<br>
<b>To:</b> Michael Furman; mitreid-connect@mit.edu<br>
<b>Subject:</b> RE: [mitreid-connect] Creation of the ID token using the user name only.</font>
<div> </div>
</div>
<div>
<div>No, this is not an ID token anymore. Why dio you need a token like that anyway? </div>
<div><br>
</div>
<div>Sounds like you're doing a back end access on behalf of a user without involving the user. This is usually a dangerous pattern, and most of the time the normal authorization code flow is preferred. </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div id="composer_signature">
<div style="font-size:85%; color:#575757">--Justin</div>
<div style="font-size:85%; color:#575757"><br>
</div>
<div style="font-size:85%; color:#575757"> <i>Sent from my phone</i></div>
</div>
<div><br>
</div>
<div style="font-size:100%; color:#000000">
<div>-------- Original message --------</div>
<div>From: Michael Furman <michael_furman@hotmail.com> </div>
<div>Date: 9/1/16 4:57 PM (GMT+02:00) </div>
<div>To: mitreid-connect@mit.edu </div>
<div>Subject: [mitreid-connect] Creation of the ID token using the user name only.
</div>
<div><br>
</div>
</div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<p></p>
<div>
<p class="MsoNormal">Hi all,</p>
<p class="MsoNormal">Is it possible to create the ID token using the user name only?</p>
<p class="MsoNormal">I need to access from one application to another using the REST API while I have in my hand only the user name.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Both applications trust each other and therefore I do not need to authenticate a user.</p>
<p class="MsoNormal">(In addition I can not authenticate a user since I do not have a user password).</p>
<p class="MsoNormal">How is possible to do it using mitreid-connect?</p>
<p class="MsoNormal">Thank you in advance for your help.</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style=""> </span>Michael</p>
</div>
<br>
<p></p>
</div>
</div>
</div>
</div>
</body>
</html>