4

I am developing a Javascript app + REST API.

I want users to authenticate with the app (and underlying REST API) via an OpenID Connect Provider for SSO purposes.

Using the Implicit flow I can get an ID token (JWT) identifying the user to my javascript app. I was hoping that I could then send this JWT in the Authorize header in requests to my REST API to authenticate the user. However, the problem with this approach is that the 'aud' field of the JWT won't be for the REST API server, it would be for the javascript app.

Does this mean Implicit flow is not suitable for my use case, or am I missing something?

Improve this question

1 Answer 1

Reset to default
8

Implicit Flow is designed for untrusted clients (such as JavaScript) to obtain identity and also (optionally) access tokens.

With OpenID Connect your authentication request must contain id_token in the response_type parameter, but it can also include token in the parameter too. See 3.2.2.1 in the spec (http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest)

e.g.

GET /authorize?
response_type=id_token%20token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: server.example.com

id_token means that you will get back the ID token which you have mentioned. The token means that it will also return you an access token, which is what you would use for accessing your REST api.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks Alex, that makes sense.. however the point where I am confused is using the access token for my REST api. Say I am using Google as an OIDC provider, this will provide me an access token for accessing Google APIs but not my REST api... unless there is someway my REST api can validate an access token returned by Google..?
It's taken me a while but I think I have it figured out now! The confusion was that I am actually trying to achieve two things (somewhat beyond the scope of my original question) 1. Identity federation - my Javascript API/REST API is just one component of a wider system that needs to work with a central identity provider. 2. Delegated access - other parties need to be able to access the REST API on user's behalf.
So my options are A) Have an Authorization server that both acts as an identity provider and issues access tokens that can be used with my REST API (requires REST API to be able to validate said tokens by some means, which is beyond the OAuth2 spec), or B) Have my REST API act as both an Authorization and Resource server with it's own tokens, that happens to use an external OIDC identity provider to authenticate users. (Excuse my rambling - this is a brain dump of what I have finally concluded after weeks of investigation, hopefully it's helpful to someone else)
if you are in the dotnet world, have you looked at the thinktecture IdentityServer3? It is open source and has good examples of requesting API access tokens as well as id_token, and using scopes to protect the api resources. it might be worth a look.
I'm in Java land :) but will still check it out to see what I can learn from an architectural point of view
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.