OpenID Connect - Implicit Flow with Javascript app using JWT to authenticate with a REST API

Question

I am developing a Javascript app + REST API.

I want users to authenticate with the app (and underlying REST API) via an OpenID Connect Provider for SSO purposes.

Using the Implicit flow I can get an ID token (JWT) identifying the user to my javascript app. I was hoping that I could then send this JWT in the Authorize header in requests to my REST API to authenticate the user. However, the problem with this approach is that the 'aud' field of the JWT won't be for the REST API server, it would be for the javascript app.

Does this mean Implicit flow is not suitable for my use case, or am I missing something?

Answer 1

Implicit Flow is designed for untrusted clients (such as JavaScript) to obtain identity and also (optionally) access tokens.

With OpenID Connect your authentication request must contain id_token in the response_type parameter, but it can also include token in the parameter too. See 3.2.2.1 in the spec (http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest)

e.g.

GET /authorize?
response_type=id_token%20token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj HTTP/1.1
Host: server.example.com

id_token means that you will get back the ID token which you have mentioned. The token means that it will also return you an access token, which is what you would use for accessing your REST api.