Using openid-connect to authenticate spa and relaxation api
I have an API server (resource server) and multiple applications, a web GUI (SPA) and a desktop client and maybe more suitable. I would like to use openid-connect besides http authentication for my server API. It must be configured for use by the openid provider. My own, facebook, google ... I only want to do authentication, I don't need their API. I only need profile data like email or name.
Let's say I have configured Google as my IdP and I am currently using my web interface (SPA). I need to login, no problem, according to https://developers.google.com/identity/protocols/OpenIDConnect I redirect user to google get my authorization code and web Gui (SPA) gets id_token and access_token from google.
No problem yet, but now the SPA should work with my API server and the API server needs to authenticate every request (since it is a stateless rest api) coming from the client (WebGui SPA) and needs to know if the user actually did it ...
AND
So the access_token from google is used to access the google api correctly? But I can also just pass this access_token with every request to my api server and the api server calls https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=xxx to check the access_token and get the account name (mail) ... But that doesn't sound like that, does it?
IN
I also have an id_token that I can check without having to call the google server every time. Can I also just pass the id_token as bearer with every request to my api server and the api server can check the id_token? But according to the openid-connect spec, the access_token is actually one that is simply passed to the api server and the id_token should remain on the client. But then id_token would be completely useless for me, the API server needs to know who the user is, the client (Web GUI) doesn't really care.
FROM
Or, since this is my own API server, my API server really needs to implement the whole oauth2 system itself, just not authentication, but creating an access_token and more. So I would have / api / tokensign with which I can pass the id_token from google, the API checks the id_token and creates an access_token for my WebGUI (SPA). And this new access_token can be passed as media for every api request. This actually sounds like the best solution according to the specs, but do I really need to implement oauth2 myself in my API? Sounds like a heavy addition, since A and B can be implemented as well.
My rest-api needs to authenticate with every request, so is A, B, C the right approach? Please don't tell me that this opinion is based, it is not. What is the correct way to use oauth2 / openid-connect for authentication?
source to share
You can use all three methods mentioned above, but really with some considerations. I will explain them in relation to the available specifications.
Scenario - two systems S1 , S2
- S1 - Identity Provider
- S2 - API endpoint
What you need to do is trust and use the "tokens" issued by S1 to access S2
Explanations for Suggested Solutions A , B and C
A - check tokens issued by S1 for each call
This can be done using RFC7662 - OAuth 2.0 Token Inspection Endpoint . This validation is valid by spec, so yes, you can use the token validation endpoint.
The advantage of this method is that if the token is canceled, the effect is instant. The next API call will fail. But it actually makes sense in performance. You will need an additional call to the validation service.
Note that you do not need to get the account name from this check. It could be taken from the ID tag and used to verify additional security.
B - target tokens issued by S1 for each call
This approach is now something of an extension from RFC6750 - OAuth 2.0 Authorization Framework: Bearer Token Usage . You can actually use the toke id to authenticate and authorize the end user. This link has a good explanation of using the ID token as a bearer token.
You can actually verify the validity of the token using MAC and even encryption. But be careful to use short lived tokens and always use TLS. And remember about refreshing tokens! Since according to the openID connect specification, the ID token is not required to request a refresh token.
C - wrapper for federation
To do this, you can write your own solution or use existing solutions (for example: WSO2 Identity Server ). This identity server is configured to select an identity provider in your application (client, such as a desktop application or a web application). The identity server will perform the required redirects and provide you with the required tokens. But in reality you will need to use the introspection endpoint to validate the marker.
If you are one step ahead of this solution, you can try to implement a code exchange mechanism. You can exchange tokens from external ones for tokens issued from inside one of your systems (for example: - Google access token to your access token). The advantage of this approach is that you are in control of the validation. Also, since subsequent token checks are performed internally, there should be a performance improvement.
Hopefully this clarifies some of the doubts you have.
source to share