Open ID Connect: Pass token to a service

41 views
Skip to first unread message

Fred

unread,
Jul 27, 2012, 12:23:42 PM7/27/12
to dotnet...@googlegroups.com

Hi,

In the last days, I dealed with the Open ID Connect Basic Spec and google's implementation of OAuth 2, which contains some extensions, that go hand in hand with Open Id connect to Authenticate users.

So let's say my client got an access_token from google using OAuth 2 and Open Id Connect and let's also assume, I have validated this token regarding thinks like audience and issuer.

Would it be a good idea to pass this token to a rest-service, to show, that the client is acting on behalf of the authenticated user?

If yes, the server would have to check, if the audience is a trusted client an so on, wouldn't it?

If this isn't a good idea, how to show the service that the client acts upon this user?

On possibility were to write an auth-server that exchanges this token for another, which can be used to access the service.

What do you think about this solution? Are there other/ better solutions for this?

 

Thanks for your help.

 

Wishes,

Manfrd

Andrew Arnott

unread,
Jul 28, 2012, 9:52:11 AM7/28/12
to dotnet...@googlegroups.com
Hi Fred,

It sounds like you want both authentication and authorization. I believe it would be inappropriate to send your OpenID Connect token to another service since that's used for authentication.  But as part of that same flow I believe you should be able to acquire authorization to access that user's data on closely related services.

If you're talking about authenticating a Google user, but then accessing that user's data on some 3rd party service, Google likely won't issue an access token for the 3rd party, so I see the problem.  In that case I believe the correct path is for your client to obtain authorization from your 3rd party service rather than (or in addition to) Google.  
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/QLWFlMfJj3AJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

Reply all
Reply to author
Forward
0 new messages