Menu
I'm trying to understand how to use OpenId Connect in the following use case. Let's say we just have the following 3 components:
All traffic would be over HTTPS. Here's how I envision the OpenID Connect process working:
Is this the recommended way to use OpenID Connect in this situation? Any obvious security concerns? The only one I see is that the native client app could use the Access token to access the User Info endpoint at the IDP.
886
Regarding points 1 - 4:
Tokens requested from IDP not SP. (usually IDP get hosted on separate subdomain). I like STS term (Security Token Service) rather than IDP, which easily describe the role of OIDC server: software that issue tokens.
I prefer to say: every request from the native app to SP, that's protected (not anonymous) must be verified by the STS/IDP. think of IDP as firewall between protected resources/API/SP and native-app/RP/client.
IDP response depends on which flow being used (code, implicit, hybrid, resource owner, client Credential). This gist might help understand flows quickly: OIDC and OAuth2 Flows
ID token designed and meant to be used by the client/RP/native app.
I think the described use case is very common to be handled by OpenIDConnect+OAuth2. about accessing user info endpoint, its totally depend on your IDP configuration and RP/Client/NativeApp configuration.
example: I use IdentityServer3 as IDP/STS (its officially certified OpenID Connect Provider): in IdentityServer3 I can disable any endpoint through configuration and restrict RP scopes.
To sum up: I think the use case is recommended as you concluded. only problem was little misconceptions I highlighted above. but most important is not to choose the wrong flow or abuse the standards through misconfiguration.
hope its useful.
179
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
