Is this the correct use of OpenID Connect for this use case?
I am trying to figure out how to use OpenId Connect in the following use case. Let's say we only have three components:
- Open API web application (service provider aka SP).
- A separate authentication server (Identify Provider aka IDP) used for SSO with the above SP.
- A native client application used by the end user. This client application uses the SP API.
All traffic will exceed HTTPS. This is how I see how OpenID Connect works:
- The native application will request a "token" from the SP.
- The SP will see that the user is not authenticated and asks for confirmation from the trusted IDP.
- After the user credentials are provided to the IDP, the IDP will return the ID token and SP access token.
- The SP will validate the token ID and provide the access token to the native client application to use for all subsequent API requests.
Is this the recommended way to use OpenID Connect in this situation? Any obvious security concerns? The only thing I can see is that a native client application can use an access token to access the user information endpoint in the IDP.
source to share
Regarding points 1 - 4:
-
Tokens requested from IDP, not SP. (usually IDP is hosted on a separate subdomain). I like the term STS (Security Token Service) rather than IDP, which easily describes the role of the OIDC server: the software that issues tokens.
-
I prefer to say: every request from a native application to an SP that is secure (not anonymous) needs to be verified by STS / IDP. think of IDP as a firewall between protected resources / API / SP and native-app / RP / client.
-
IDP's answer depends on which stream is being used (code, implicit, hybrid, resource owner, customer account). This gist can help you quickly understand flows: OIDC and OAuth2 Flow
-
A token identifier designed and intended for use by the client / RP / native application.
I think the described use case is very common to handle OpenIDConnect + OAuth2. about endpoint access to user information, it totally depends on IDP configuration and RP / Client / NativeApp configuration.
Example: I am using IdentityServer3 as IDP / STS (its officially certified OpenID Connect provider): in IdentityServer3 I can disable any endpoint via config and restrict RP scopes.
To summarize: I think the use case is recommended at your convenience. I noticed that the only problem was a slight misconception. but the most important thing is not to choose the wrong flow or abuse the standards through misconfiguration.
hope this is helpful.
source to share