Which specs covers these use cases?

Skip to first unread message

Jørn Wildt

Oct 30, 2020, 5:12:13 AM10/30/20
to api-...@googlegroups.com
Can anyone point me in the right direction regarding the following use cases?

We are building a classic web application for browsers with some elements of single page apps. This web app is going to use OpenID Connect to allow users to sign-in with a third party identity provider (IdP) using the authorization code flow.

The result of signing in is that the application gets a signed ID Token (JWT) from the IdP. After signing in, the application knows who the user is by their username.

Next step is that the web-application (server side) needs to interact with our back-end system via its HTTP/REST API. The back-end has its own user register with user names matching those from the external IdP.

As of now, the REST API allows OAuth2 authentication with user credentials grant (username + password). But ... tada ... the new web application does, by design, not have the user's credentials.

Question (1) - how does the web application authenticate with the REST API as the current user, without knowing said user's credentials?

Question (2) - what specs cover this scenario?

Current idea for a solution: pass the ID Token to the REST API as user credentials and let the REST API do the same JWT verification as the web application does.

Second scenario: as above, but this time the web application is replaced with a native mobile application using OpenID Connect to sign in (by opening a built-in webview) and then accessing the REST API directly from the mobile client.

Kind regards, Jørn Wildt

Venugopal Gummadala

Oct 30, 2020, 6:39:15 AM10/30/20
to API Craft
Hi Jon,

If your back-end/REST system is already in the network of your classic web application, another round-trip to 3rd party IDP will not be required.
Your web application may a create a set of (system) roles to invoke  specific sets of REST APIs and pass matching user names as parameters.

Kind regards
Venugopal Gummadala

Jørn Wildt

Oct 31, 2020, 3:01:36 PM10/31/20
to api-...@googlegroups.com
Thanks for your input

> Your web application may a create a set of (system) roles to invoke  specific sets of REST APIs and pass matching user names as parameters.

Well, all of the REST API is based on the idea of authorizing as one of the users, so we cannot start adding user names as parameters. But, right, if the web application is trusted by the REST API then we can just let the web app login as any user it likes without a password.


You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-craft/58d8bf6f-0f15-43a6-8797-4e414d803312n%40googlegroups.com.
Reply all
Reply to author
0 new messages