[mitreid-connect] How to use OIDC Server as OAuth server?

Justin P Richer jricher at mit.edu
Tue Oct 21 10:41:54 EDT 2014


Marcin,

You can definitely register non-OIDC scopes in the system, and most major deployments of the server are set up that way. You can log in as the administrator and add them to the "system scopes" there, and then add them in to the "access" page of registered clients. You can actually add scopes to registered clients that aren't listed as system scopes, but those won't get icons and descriptions on the authorization page.

However, this does not limit the scopes per-user. Your protected resource needs to be able to sort that out on its own, but it can do so by using token introspection with the server to find out the user identifier and set of scopes the token was issued for.

 -- Justin
________________________________________
From: mitreid-connect-bounces at mit.edu [mitreid-connect-bounces at mit.edu] on behalf of Marcin Krystek [mkrystek at man.poznan.pl]
Sent: Tuesday, October 21, 2014 9:49 AM
To: mitreid-connect at mit.edu
Subject: [mitreid-connect] How to use OIDC Server as OAuth server?

Hello,

I'm using MITRE OIDC server to authenticate users and it works well. Now
I would like to expand this scenario and add authorization part.

Lets assume that each user may have some specific resources, like e.g.
files. I need to restrict access to this resources to their owners. The
user should also be able to grant access to the some of his resources to
other users.

Since OpenID Connect protocol is build on top of the OAuth, I'm
wondering if it is possible to use MITRE OIDC server in above scenario?
Is is possible to register user specific resources and allow users to
define access policies to these resources?

Regards,
Marcin

_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu
http://mailman.mit.edu/mailman/listinfo/mitreid-connect



More information about the mitreid-connect mailing list