Hi Guys,
I have a question about tightly integration by OAuth2.
*The scenario is:*
1. A and B are two independent web services in one company.
2. They have their own identity store and authentication service.
3. There is a mapping relationship between A's user/org and B's
user/org, in another word, A can get user's userid in B by this means.
4. A and B want to do tightly integration. A can get user's token in B
in backend and call B's api. From end user, he/she regard as A and B are
one service.
*Old Solution:*
1. By Saml2, A sent a saml assertion to B.
2. B verify the assrtion and generate the user token by nameid
3. It's complex solution and need a lot of conguration.
*My idea by OAuth2:*
Client Credentials Grant is suitable for this scenario, but this grant
doesn't contain user's info, then can't get user's token by this flow.
I want to register a grant type for this purpose, and username is included
in this grant type.
*Here is the proposal:*
grant_type: urn:company:tightly_client_credentials
client_id and client_secret: in Authorization Head Basic or Post params
username: user's nameid
scope: [OPTIONAL] The scope of the access request
*Demo:
Request:
*
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=urn:company:tightly_client_credentials&username=johndoe
* Response:
*
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
In back end ,when I got this requst, I will check if this client is very
confidential client for tightly integration, then issue a user token.
Is it reasonable solution for this use case?
Do you have any suggestion.
Thanks and Regards
Darcy
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
