<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>No, this won't work and isn't using OAuth properly. You don't want the client app to intercept the credentials, you can have the server accept them directly. We've deployed the server using Kerberos authentication, but the client and rp never see the Kerberos tickets.&nbsp;</div><div><br></div><div id="composer_signature"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><div style="font-size:85%;color:#575757">--Justin</div><div style="font-size:85%;color:#575757"><br></div><div style="font-size:85%;color:#575757">&nbsp;<i>Sent from my phone</i></div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Michael Furman &lt;michael_furman@hotmail.com&gt; </div><div>Date: 9/1/16  4:46 PM  (GMT+02:00) </div><div>To: mitreid-connect@mit.edu </div><div>Subject: [mitreid-connect] mitreid-connect IDP: support additional        authentication schemas. </div><div><br></div></div>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p></p>
<div>
<p class="MsoNormal">Hi all,</p>
<p class="MsoNormal">I want to extend mitreid-connect IDP and to support additional authentication schemas, like Basic Authentication (or Kerberos).</p>
<p class="MsoNormal">I read the following document:</p>
<pre><a id="LPlnk829346" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration</a></pre>
<br>
<p class="MsoNormal">In the current version we have RestAPI clients that accesses our application with Basic Authentication.<br style="mso-special-character:line-break">
<br style="mso-special-character:line-break">
</p>
<p class="MsoNormal">I just want to ensure the following flow will work when we will start to use OpenID-Connect.<br style="mso-special-character:line-break">
<br style="mso-special-character:line-break">
</p>
<p class="MsoListParagraphCxSpFirst" style="text-indent:-.25in;mso-list:l0 level1 lfo1">
<span style="mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">1)<span style="font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><span dir="LTR"></span>A RestAPI client accesses RP (our application) with the Basic Authentication header</p>
<p class="MsoListParagraphCxSpMiddle" style="text-indent:-.25in;mso-list:l0 level1 lfo1">
<span style="mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">2)<span style="font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><span dir="LTR"></span>RP redirects the request to mitreid-connect IDP using OpenID-Connect protocol</p>
<p class="MsoListParagraphCxSpMiddle" style="text-indent:-.25in;mso-list:l0 level1 lfo1">
<span style="mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">3)<span style="font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><span dir="LTR"></span>The modified mitreid-connect IDP authenticates the request using the Basic Authentication header.</p>
<p class="MsoListParagraphCxSpMiddle" style="text-indent:-.25in;mso-list:l0 level1 lfo1">
<span style="mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">4)<span style="font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><span dir="LTR"></span>mitreid-connect IDP redirects request back using OpenID-Connect protocol</p>
<p class="MsoListParagraphCxSpLast" style="text-indent:-.25in;mso-list:l0 level1 lfo1">
<span style="mso-bidi-font-family:Calibri;mso-bidi-theme-font:minor-latin"><span style="mso-list:Ignore">5)<span style="font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><span dir="LTR"></span>RP (our application) authenticates the request using OpenID-Connect protocol</p>
<p class="MsoNormal">Also, I hope the same flow will work for other authentication schemas (e.g. Kerberos).</p>
<p class="MsoNormal">Thank you in advance for your help.</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style="mso-spacerun:yes">&nbsp;&nbsp; </span>Michael</p>
</div>
<br>
<p></p>
</div>
</body></html>