Skip to main content
Software Engineering

Return to Question

Tweeted twitter.com/StackSoftEng/status/1473307277759291393
edited body
Source Link
Sjoerd222888
Sjoerd222888
  • 689
  • 5
  • 19
A                       C                       B
[client]                [identity provider]     [resource server]
|                       |                       |
|----- OAuth2 flow ---->|                       |
|<---- id-token --------|                       |
|                       |                       |
|--- get access-token ->|                       |
|<-- access-Token ------|                       |
|                       |                       |
|                       |                       |
|----- API-request/Bearer access-token--------->|
|                       |                       |
|                       | (token-introspection) |
|                       |<--- access-token -----|
|                       |----- user-info response ------>|
|                       |    (incl. scopesaudience)     |
|                       |                       |
|<---- response-data ---------------------------|

A                       C                       B
[client]                [identity provider]     [resource server]
|                       |                       |
|----- OAuth2 flow ---->|                       |
|<---- id-token --------|                       |
|                       |                       |
|--- get access-token ->|                       |
|<-- access-Token ------|                       |
|                       |                       |
|                       |                       |
|----- API-request/Bearer access-token--------->|
|                       |                       |
|                       | (token-introspection) |
|                       |<--- access-token -----|
|                       |----- user-info ------>|
|                       |    (incl. scopes)     |
|                       |                       |
|<---- response-data ---------------------------|

A                       C                       B
[client]                [identity provider]     [resource server]
|                       |                       |
|----- OAuth2 flow ---->|                       |
|<---- id-token --------|                       |
|                       |                       |
|--- get access-token ->|                       |
|<-- access-Token ------|                       |
|                       |                       |
|                       |                       |
|----- API-request/Bearer access-token--------->|
|                       |                       |
|                       | (token-introspection) |
|                       |<--- access-token -----|
|                       |------ response ------>|
|                       |   (incl. audience)    |
|                       |                       |
|<---- response-data ---------------------------|
added 144 characters in body
Source Link
Sjoerd222888
Sjoerd222888
  • 689
  • 5
  • 19

Examples for Option 3:

Examples for Option 3:

added 108 characters in body
Source Link
Sjoerd222888
Sjoerd222888
  • 689
  • 5
  • 19

Client A will after an OAuth2 flow send the id-token to resource-server B which has to verify the validity of the id-token and in case it is valid will issue an access-token in exchange. Again the audience of the id-token must be verified such that the access-token created really meant for client A. The audience claim would limit the scope and would limit the possibilities client A has. Now the actual scope could be encoded in a based access-token for example. The question here is whether this is actually a valid possibility for OAuth2 and whether it could be considered in line with RFC8693 (Token Exchange). A potential benefit of this approach would be to have simplify the case when supporting multiple identity providers simultaneously. Also the resource server B would be able to handle request independent once an access token has been provided.

Client A will after an OAuth2 flow send the id-token to resource-server B which has to verify the validity of the id-token and in case it is valid will issue an access-token in exchange. Again the audience of the id-token must be verified such that the access-token created really meant for client A. The audience claim would limit the scope and would limit the possibilities client A has. Now the actual scope could be encoded in a based access-token for example. The question here is whether this is actually a valid possibility for OAuth2 and whether it could be considered in line with RFC8693 (Token Exchange). A potential benefit of

Client A will after an OAuth2 flow send the id-token to resource-server B which has to verify the validity of the id-token and in case it is valid will issue an access-token in exchange. Again the audience of the id-token must be verified such that the access-token created really meant for client A. The audience claim would limit the scope and would limit the possibilities client A has. Now the actual scope could be encoded in a based access-token for example. The question here is whether this is actually a valid possibility for OAuth2 and whether it could be considered in line with RFC8693 (Token Exchange). A potential benefit of this approach would be to have simplify the case when supporting multiple identity providers simultaneously. Also the resource server B would be able to handle request independent once an access token has been provided.

fix errors
Source Link
Sjoerd222888
Sjoerd222888
  • 689
  • 5
  • 19
Source Link
Sjoerd222888
Sjoerd222888
  • 689
  • 5
  • 19