http - Requiring the ID token too to access an API endpoint -


let's take example have spa accessing api using oidc implicit flow.

since oauth scopes coarse-grained, necessary perform additional authorization on resource servers. can case example when accessing dynamic resources (e.g filesystem) via endpoint - access restricted permissions tied userid, not practical use oauth scopes because of dynamic nature of resources.

in these cases endpoint can protected oauth scope, while access resources endpoint operates on (e.g files) granted based on userid. hence user's identity must securely sent in api request.

an obivious choice can send id token obtained when authenticating, access token obtained @ same time.

there standard way sending access token in http request (the authorization header), there 1 id token? or should make header name 'x-identity'?

to answer question: there no standard passing id token in http request.

but arguably there doesn't need one: in case may not need openid connect since scopes not information can associated oauth 2.0 access token seem suggest.

you can "associate" userid access token resource server can grant client access protected resource based on identity of user granted access token client.

the "association" implementation dependent: access token can jwt contains userid claim or access token can opaque value resource server can introspect/validate @ authorization server obtain information associated it.


Comments

Popular posts from this blog

Spring Boot + JPA + Hibernate: Unable to locate persister -

go - Golang: panic: runtime error: invalid memory address or nil pointer dereference using bufio.Scanner -

c - double free or corruption (fasttop) -