authentication - What type of token/auth to use for non-interactive API clients in an OIDC context? -


we consider using openid connect id tokens authentication of our public api.

these usage scenarios we'd cover:

  1. web ui (single page, client-side javascript app)
  2. command line interface (cli) used in interactive session
  3. cli used non-interactively, e. g. in ci/cd pipeline
  4. other api calls executed in non-interactive session

the idea (1) , (2) use oidc implicit grant type, user authenticates interactively (username/password) @ our openid connect identity provider , permits rp (relying party, client) access users identity. identity provider issue short-lived id token, refresh token , (optionally?) access token rp.

for (3) , (4) interactive authentication out of question. we'd instead issue tokens users allow them access our api on behalf. these tokens should long living, invalidated when deleted in system.

still, want use jwt id tokens issued identity provider carrier of identity information api requests internally.

my questions are:

  • can done purely 1 of tokens issued openid connect implicit grant type?
  • can access token issued in long-lived (no expiry, invalidated deleting system) way , exchanged client against id token?
  • or refresh token thing use that?
  • or have solve outside openid connect? leaves question how resolve opaque tokens api requests against identity details (jwt) use in our api/services?

if use implicit flow (for scenarios 1 , 2), can't use refresh tokens. need client credentials (client id , secret) request refresh tokens. in implicit flow, don't store client credentials.

when client public client (spa,etc..), not safe store client secret in it. public clients use implicit flow. implicit flow doesn't support refresh tokens. of oidc libraries implement silent token renewal/refresh feature circumvent absence of refresh tokens. there limitations model (you need have active session idp renewal working without interruption)

tl;dr -> if client public client, use implicit flow (which don't need client secret access tokens idp). implicit flow doesn't support refresh tokens.

can done purely 1 of tokens issued openid connect implicit grant type?

it not possible use refresh tokens implicit flow. authorization code flow supports refresh tokens can't used spa clients. need combination of oauth 2.0/oidc flows.

can access token issued in long-lived (no expiry, invalidated deleting system) way , exchanged client against id token?

these 2 different things:

  • "invalidated deleting system" : discussing self-contained tokens vs reference tokens.

self-contained tokens: these tokens contains information required validate authenticity in - e.g. issuer details, validity, etc.. client don't need make back-channel call sts confirm authenticity. these tokens hard revoke , valid duration specified in token.

reference tokens: reference tokens opaque tokens contains guid identifier in , no other details. in order validate authenticity of these tokens, client needs make back-channel call sts. 1 main advantage can revoked deleting corresponding identifier in sts db.

  • "exchanged client against id token refresh token" - assuming referring refresh tokens instead of id token. use refresh token purpose

or refresh token thing use that?

yes. refer above comments

or have solve outside openid connect? leaves question how resolve opaque tokens api requests against identity details (jwt) use in our api/services?

if use opaque tokens, oidc/oauth 2.0 has several endpoint (like userinfo) further information user. can use introspection endpoint know validity of token.

(scenarios 3 , 4): not sure how plan use - non-interactive client(which acting on own , not behalf of user), should use client credentials flow.

if client want act on behalf of user, should enable way user approve behavior.


Comments

Post a Comment

Popular posts from this blog

PHP and MySQL WP -

i trying accomplish 2 things here code. writing php directly wp page using insert php plugin. 1) query mysql database , return results 1 column 4 columns. 2) make each result own hyperlink directs user new wp page runs new query on page. i able query show results , turn results dynamic hyperlink, cannot formatting down. right returns result 1 column. here have: [insert_php] $servername = "localhost"; $username = "login"; //edited privacy $password = "password"; //edited privacy $database = "database"; //edited privacy // create connection $conn = new mysqli($servername, $username, $password, $database); // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } echo "connected successfully"; //get results database $result = mysqli_query($conn,"select mine mines order mine"); $all_property = array(); //declare array saving property //showing proper...
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m...
Read more

go - golang pprof for c library code -

i have been trying profile golang application pprof, seems details of c code(linked static library) missed in output result. flame graph from frame graph can see c code time consuming reported within "runtime._externalcode", no details @ all. , sure static library compiled debug enable. so there way make pprof details(like stack trace) of 3rd party c code? or there other golang profiling tool this?
Read more