OpenID Connect Federation and OAuth metadata types
While the OpenId Connect Federation specification is mainly focused on OpenID Connect federations :) it allows defining of new metadata types. The OAuth Authorization server and OAuth-protected resource metadata types will be good examples. Two things I don’t really understand are
- how would an OAuth-protected resource in organization A know how to validate Bearer ATs issued by an AS in organization B of the same federation
- now even if we deal with self-contained ATs which include all required information about the issuer (its federation entity id) why would an OAuth-protected resource in organization A ever rely on/trust scopes provided in ATs. OAuth authorization servers in organization A have their own policies on granting/providing scopes and permissions.
Please tell me what I miss.
Comments (7)
-
-
The spec already defines the metadata types
oauth_authorization_server
,oauth_client
, andoauth_resource
. -
@Andrii Deinega
1. the Bearer AT should be JWT to have the relevant metadata (and the issuer)
2. In our implementations we used token exchange to let AS to issue its own tokens with its policiesSee this https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit#
AS and RS metadata are here: https://spid-cie-oidc-docs.vercel.app/metadata_aa.html -
reporter I see, thank you. In https://www.spid.gov.it/en/, what I described above is just never the case. You are using a token exchange flow + self-contained ATs. Otherwise, it just doesn’t add up to me.
-
Hi @Andrii, please let us know what’s your requirement and what are you looking for in the specs for your need, please consider that you can even adopt a token introspection endpoint to do third parties validations
-
reporter @Giuseppe De Marco , I wanted to get a better understanding of how an AS and an RS could potentially work together assuming they belong to different organizations (or in other words, they aren’t aware of each other).
I think I got all the answers thanks to the responses from you and David.
-
- changed status to resolved
- Log in to comment
In my opinion each AS and RS that work together need to be aware of each other. This means that a RS that receives an access token from an AS that it does not know about (in the same or other organisation, it does not really matter) will not accept the access token. One way to achieve this using JWTs is for the RS to know which JWT issuers/signers to trust, and the AS to put into the aud claim which RS (or RSs) this access token is good for. With introspection the RS will ask its AS to validate the access token and if the AS does not recognise the RS it will refuse.