Trust Based Identity Sharing For Token Grants
share
Authentication and authorization are two key elements of a software application. In modern day, OAuth 2.0 framework and OpenID Connect protocol are widely adopted standards fulfilling these requirements. The protocols are implemented in to authorization servers. It is common to call these authorization servers as identity server or identity providers since they hold user identity information. Applications registered to an identity provider can use OpenID Connect to retrieve ID token for authentication. Access token obtained along with ID token allows application to consume OAuth 2.0 protected resources. In this approach, client application is bound to a single identity provider. If the application needs to consume a protected resource from a different domain, which only accepts tokens of a defined identity provider, then client must again follow OpenID Connect protocol to obtain new tokens. This requires user identity details to be stored in the second identity provider as well. This paper proposes an extension to OpenID Connect protocol to overcome this issue. It proposes a client centric mechanism to exchange identity information as token grants against a trusted identity provider. Once grant is accepted, resulting token response contains an access token, which is good enough to access protected resources
READ FULL TEXT