[mitreid-connect] FW: Open ID Connect

Anganes, Amanda L aanganes at mitre.org
Wed Apr 6 12:55:08 EDT 2016


Hi Fahmi,

I no longer work with OpenID Connect, so unfortunately I cannot answer your questions. I’d suggest that you visit https://kit.mit.edu/projects/mitreid-connect and send this email to mitreid-connect at mit.edu as that group maintains this codebase now.

Best regards,

—Amanda

------------------------
Amanda Anganes | 781-271-3103 | aanganes at mitre.org<mailto:aanganes at mitre.org>
The MITRE Corporation | K83C: Collaboration & Social Computing

From: Bedoui Fahmi <bedoui at trusttic.com<mailto:bedoui at trusttic.com>>
Date: Wednesday, April 6, 2016 at 12:40 PM
To: Amanda Anganes <aanganes at mitre.org<mailto:aanganes at mitre.org>>
Subject: Open ID Connect


Hello,

We have questions about some theoretical issues on Open ID Connect to make sure we correctly use the mechanism, thank you very much to answer our questions

We have defined our:

  *   Resource owner (STATELESS backend server),
  *   Authorization server using connect2id with the mode "Resource Owner Password Credentials"
  *   Client app (angularjs client)

1/  The client receive two JWT token: access token (having the user subject and the list of scopes) and ID Token. So we must use the access token to communicate with the Resource owner (as contains the list of scopes) and in the server side we limited the resources access according to these scopes.
And the Id token is useful only in the client side (as contains a set of claims to identify the user), never sent to the server

Is this true ? or can ID Token contains scopes and be used in the bearer instead of the access token ?

2/ For the client part which will have the ID Token, the validation is supposed to be made only when getting the token or with every service call to the server (then we need to save it in the local storage)? And do you recommend a good javascript lib to do that job?

3/ In the oauth2 specification, there is 4 grant types (authorization code, implicit, resource owner password credentials, client credentials) but in the Open ID Connect we found a new vision, 3 grant types, authorization code, implicit and hybrid

What about using the mode "resource owner password credentials" with an OP (open id provider like c2id) ? Is this prohibited ?


--
Regards,

Fahmi BEDOUI
Research & Development
TrustTIC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160406/3524cf80/attachment.html


More information about the mitreid-connect mailing list