Hi All
I hope this question is better suited for this list. Will have no
problems redirecting it to the openid-connect list instead.
Consider a user working with the client web application (OIDC RP) which
authenticates the user with the OIDC authorization code flow at the end
of which the client gets AccessToken + IdToken. Next the user requests
something from the client which needs to access the RS to complete this
request.
And the idea is to have the client pass IdToken to RS and use various
user claims inside this IdToken to enforce the access control at the RS
level. My position it is likely wrong but I guess I may be missing
something that will be either in favor or against it.
The reason I think it is wrong is that if the client is using a code
flow then the right approach for staying within the OAuth2 'world' is to
use the access token to talk to RS and use IdToken only for the purpose
of interacting with the user. The access token represents a proper user
authorization and can have the extra scopes in addition to "oidc" which
RS can depend upon in its access control restrictions.
Next I'm arguing that if the IdToken is used instead then it is the case
of the client impersonating the user. And refer to the STS for the REST
of Us draft (I have a separate series of question on that draft). I'm
saying the impersonation can work but ignoring the access tokens
completely will make the overall solution much less flexible.
I'd like to ask for some advice/guidance:
- Is it a good idea at all for the client to use IdToken instead of
AccessToken as explored above ? I suppose it can work, in the code flow
the client gets the access token which, by default, only allows to
access UserInfo. Perhaps the client impersonating IdToken for the
purpose of accessing RS is not too bad after all.
- Assuming the impersonation is OK, what is the right criteria for the
client to choose to work with IdToken instead of the access token when
accessing the immediate RS. It seems like if the impersonation is OK for
the client to do then why have access tokens at all...
- Assuming the impersonation is OK, does STS For the REST of Us shows
the right and the only way it needs to be done ? I can imagine how it
will work for the web app clients, but what about Implicit Clients.
Many thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
