[mitreid-connect] Regd OpenIdConnect Protected Resource
Ananth Ramchandran
ramchandran.ananth at gmail.com
Thu Jul 16 14:58:18 EDT 2015
Hi Justin,
Thank you for the explanation. I understand what I
need to do now.
Thanks and Regards,
Ananth Ramchandran
On Wed, Jul 15, 2015 at 3:44 PM, Justin Richer <jricher at mit.edu> wrote:
> Hi Ananth,
>
> A few things here. First, your Angular app should be able to use the
> implicit flow since it’s entirely in-browser, but you won’t be able to use
> the MITREid Connect client code. You’ll need a Javascript-based OpenID
> Connect client for that, and it’s going to have its own configuration. You
> don’t necessarily need all of the configuration components that are found
> in the MITREid Connect client for your use case; the MITREid Connect client
> is meant to be a general-purpose library that’s applicable to a wide
> variety of situations, and your use case is likely smaller than that.
>
> Note that the implicit flow is really only meant for session-sharing
> between applications and isn’t a good fit for apps that have any kind of
> backend. For systems that do have a backend component, the code flow is
> highly preferred.
>
> To access the REST service, you’ll want to use the Access Token and not
> the ID token. You should never send your ID token outside of your client
> application. At this point you’re not logging in to the REST service, but
> you’re accessing it on behalf of the logged in user.
>
> When doing introspection, the response is only going to tell you which
> scopes are attached to the token that’s being introspected. So in this
> case, if the access token only has the “openid” scope then the
> introspection response is going to tell you that it only has the “openid”
> scope. You won’t be able to “up scope” the token at the resource to be able
> to use it for user information, at least not without hacking the server.
> This is designed this way for security reasons. Introspection *will* give
> you a user identifier for the user that authorized the token, but it won’t
> (by default) give you extra bits of user information that you might be
> expecting, like what you get from the UserInfo Endpoint in OpenID Connect.
> You can extend MITREid Connect’s introspection response to include custom
> information, and I know of a few people who have done exactly that.
>
> Hope this helps,
> — Justin
>
> On Jul 15, 2015, at 2:13 PM, Ananth Ramchandran <
> ramchandran.ananth at gmail.com> wrote:
>
> Hello Justin,
>
> First of all Thank you for implementing an easy to
> understand application of the Open Id Connect protocol. I have implemented
> the Open Id Connect Server using the maven overlay method and have
> configured an angularjs client app to generate access tokens. I have
> configured the angularjs app with spring so as to support the authorization
> code grant type. (I was not able to figure out how to consume the MitreId
> openIdConnect) for implicit flow for a purely angularjs app).
>
> Currently I have three applications,Auth application ( Maven overlay of
> MitreId Connect), Spring backed Angularjs application, Resource
> application(Rest based application).
>
> 1) My scenario is to set just open id scope to the angularjs app and
> generate the token.Pass to the Resource application which has all the
> scopes to retrieve user information. Forgive me if I completely
> misunderstood the Oauth2 protocol but my understanding was since the
> Resource has all scopes, when the introspection occurs it would recover all
> user related information. Is this the wrong thought process and if so do I
> have to have the spring backed angularjs app have all the scopes.
>
> 2) Question 1 led me to this question. Having a spring backed angularjs
> app requires me to manage 3 wars which I want to eliminate. The issue is
> the configuration required to register the client application as a client(
> static client,dynamic and hybrid) , server configurations , keystores for
> encryption. I could do this with Java class but I am completely lost as to
> how to achieve this in angularjs. Any advice as to how to go about doing
> this would be greatly appreciated.I found this handy directive (
> http://andreareginato.github.io/oauth-ng/#introduction) which can be used
> but I couldn't figure out how to incorporate it the heavy configuration
> needed for the client.
>
>
> Thanks and Regards,
> Ananth Ramchandran
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150716/ee7c51c4/attachment.htm
More information about the mitreid-connect
mailing list