Reputation: 397
OIDC delegation
I have a question about OIDC delegation I would like some help with, would be grateful for any input on this.
I have an OIDC OP and would like to authenticate RP's against other OIDC OP's -- so there would be OIDC requests coming to my OP that I would like to delegate to other remote OP's. My OP would receive a token where the "iss" would be the remote OP and the "aud" would be an OIDC client I have created on my OP. I would then generate another token in my OP that I would issue to the RP where the "iss" is my OP and the "aud" is the RP's clientID.
I have the node-oidc-provider that I am working with as my OP and was wondering how I can go about setting that up -- I was thinking along the lines of creating a client with the client_credentials grant type but I'm not sure that's correct?
Upvotes: 1
Views: 754
Answers (1)
Reputation: 316
Generally if you are chaining OIDC between different IdP's then you would not use Client Credentials. Client Credentials is reserved for when you are authenticating the Client, not the user.
In your situation, I'm going to assume that you are looking to have the second OP authenticate your user. So you have this situation:
User -> Your App (RP) -> Your Authorization Server (OP) -> Other Authorization Server (OP2) -> OP -> RP
For RP -> OP you will use whichever flow makes sense. If your RP is a webapp and you don't also have a Resource Server (API) involved, then you probably just want to use response_type=id_token and pass the ID token back to your app with response_mode=form_post. If you need an access token as well, then you probably want to use auth code with PKCE.
When OP -> OP2, you will likely just need to use response_type=id_token and response_mode=form_post because your OP only needs an ID token to validate that the user is authenticated and get whatever user info you need (and maybe other claims too for roles, etc). You can also use auth code here (PKCE is always recommended now), but it isn't necessary since you can just validate the ID token signature and nonce. Then OP just redirects to OP2's authorization endpoint with a redirect URI of a callback on the OP. Once you validate the ID token you can redirect the user to the RP's callback and your done :).
Upvotes: 1
Related Questions
- how would authentication be done in OAuth2 without OIDC?
- OIDC Authorization Code flow /token response
- How to secure an API with OIDC/OAuth
- OIDC generalized scopes
- OIDC OAuth 2.0 Authentication and Authorization
- OAuth2 Roles in OIDC
- OpenID Connect with embedded resources
- OAuth 2.0 and OpenID Connect
- How to implement OIDC (Open Id connect) server with OWIN
- OAuth 2.0 Authorization Server and Access Tokens