Reputation: 376
In OAuth 2.0 can Authentication server use IdP that is on different domain to authenticate Resource Owner?
What is the flow in such case? Assuming that I am using Authorization Code Flow for OAuth. How Authorization server can know if Resource Owner is authenticated?
Upvotes: 1
Views: 885
Answers (1)
Reputation: 29218
The flow is like this:
Client app redirects the browser to the Authorization Server (AS) at a URL such as https://login.mycompanycloud.com - using standard OpenID Connect - this is easily done by plugging in a library
The AS generally supports multiple authentication methods:
- The client app is configured to use one or more
- The AS can present a selection screen
- Or the client app can send an acr_values query parameter to select one at runtime
The AS then redirects the browser to an 'authenticator', which can be an Identity Provider (IDP) in a different domain, eg https://login.mycompanyintranet.com
Domains used all need to be contactable from the user's browser, and the IDP needs to be able to send tokens to the AS. Due to trust configuration the AS can digitally verify tokens and treat the user as authenticated for the time period of the grant.
For an illustrated example, see my Federated Logins blog post.
Upvotes: 3
Related Questions
- OAuth2.0 authorization with multiple resource owner identities
- Does OpenID Connect support the Resource Owner Password Credentials grant?
- IdentityServer - multiple OAuth servers with compatible tokens?
- oauth 2.0 - Resource owner password flow, can use windows login user credentials
- Can I use Resource owner password flow with SPA?
- Does OAuth2 support cross-user delegation?
- rfc6749 4.3 - Resource Owner to Auth Server direct communication?
- identityserver3 - can an access token issued by one id server be used with another id server?
- oAuth 2.0 - Acting on behalf of the user
- Can an OAuth 2.0 access token be used to authenticate a user in another context?