OpenId Connect - 2 way exchange of tokens in spec?

Question

Does OpenId support a two way exchange of tokens at any place in the spec? Specifically allowing both parties to share tokens with each other in some way so they can share services with each other?

I've looked through the spec, but can't see anything detailing any scenarios like this.

An app I'm working on has integrated itself with a trusted OpenId provider, we'll call Acme.

We'd also like to provide access tokens and refresh tokens to Acme, as they'd like to access features of our service as well.

It seems natural that during our interactions to get tokens from Acme, that we'd like to expose tokens to them.

Is this part of the spec in any way? Or is the only way to do this is to become a full identity provider ourselves?

Answer 1

It sounds like you're confusing OpenID Connect and plain OAuth2 to some extent.

OpenID Connect is a specification for identifying end users to a client application, based on their authentication at the OpenID Provider. It's not clear from your question whether end users are even part of the picture, so even plain OAuth2 may not be relevant (unless you are just using the "client credentials" grant).

Neither spec says anything about mutual exchange of tokens. It would probably help if you describe the interactions you anticipate in more detail and which grants you expect to use. Who will authenticate to your identity provider and what would be a typical client application?

Answer 2

You could include the tokens as part of a request object, see: http://openid.net/specs/openid-connect-core-1_0.html#RequestObject but that would depend on a pair-wise agreement with Acme since they'd need to handle the non-standaridzed request object contents.

The best way forward is to become a provider yourself so you can leverage all the features of the various flows without being dependent on a pair-wise agreement and accompanying implementation.