OpenID Connect - Implicit stream using Javascript application using JWT for authentication using REST API

Question

OpenID Connect - Implicit stream using Javascript application using JWT for authentication using REST API

I am developing a Javascript app + REST API.

I want users to authenticate using the application (and the basic REST API) through the OpenID Connect provider for single sign-on.

Using an implicit stream, I can get an ID token (JWT) identifying the user in my javascript application. I was hoping that then I could send this JWT to the Authorize header in requests to my REST API for user authentication. However, the problem with this approach is that the “aud” JWT field will not be for the REST API server, it will be for the javascript application.

Does this mean that the implicit stream is not suitable for my use case, or am I missing something?

+4

security openid-connect

James Mar 07 '15 at 6:16

source share

1 answer

Alex white · Accepted Answer · 2015-03-20T13:10:10+0000

An implicit stream is intended for untrusted clients (e.g. JavaScript) to obtain identities as well as (optionally) access tokens.

With OpenID Connect, your authentication request must contain id_token in the response_type parameter, but it can also include a token in this parameter. See 3.2.2.1 in the specification ( http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest )

eg.

GET /authorize?
response_type=id_token%20token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: server.example.com

id_token means that you will return the identification token you mentioned. The token means that it will also return the access token that will be used to access your REST api.

OpenID Connect - Implicit stream using Javascript application using JWT for authentication using REST API

More articles: