<div class="socmaildefaultfont" dir="ltr" style="font-family:"Helvetica Neue", Helvetica, Arial, sans-serif;font-size:10.5pt" ><div dir="ltr" >Hi,</div>
<div dir="ltr" > </div>
<div dir="ltr" >I am looking to use MitreID Connect in a project of ours but I'm going in circles trying to work out how best to implement it. Hopefully someone on this list can give me some direction.</div>
<div dir="ltr" > </div>
<div dir="ltr" >We have a server which hosts a set of APIs which we want to give certain apps and third party scripts granular access to.</div>
<div dir="ltr" >The apps are installed by an admin on the server, and then ran in an external docker container. We would want apps to be able to request permissions, and then for the admin user to be prompted that the app is requesting these permissions. The admin user would then accept or deny them. Ideally this would happen when the app is initially installed by the admin user.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Also we want third party scripts to be able to access the APIs.</div>
<div dir="ltr" > </div>
<div dir="ltr" >On top of that we want normal users to allow apps to do actions on the server on their behalf, all through the APIs.</div>
<div dir="ltr" > </div>
<div dir="ltr" >Given all that I had thought:</div>
<div dir="ltr" > </div>
<div dir="ltr" >* Authenticating the apps could be done with the authentication code flow, except that the redirects are interactive and browser based. I looked at 2 leg auth and other flows include creating accounts for each app on the server but I'm a little unsure about this.</div>
<div dir="ltr" > </div>
<div dir="ltr" >* For third party scripts, the implicit flow seems good, though I presume an admin user would need to create a user for the script and generate an ID for the script to authenticate with</div>
<div dir="ltr" > </div>
<div dir="ltr" >* For apps actioning APIs as a user I thought the JWT from OpenID Connect would enable this, obviously with work needing to be done in the APIs to support that. Is that correct?</div>
<div dir="ltr" > </div>
<div dir="ltr" >Any help appreciated.</div>
<div dir="ltr" >Thanks</div>
<div dir="ltr" >Wil Hadden</div>
<div dir="ltr" > </div></div>Unless stated otherwise above:<BR>
IBM United Kingdom Limited - Registered in England and Wales with number 741598. <BR>
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU<BR>
<BR>