OAuth2: Resource Owner OpenID Grant?

3
votes

I've been struggling over the past couple of days to wrap my head around something. I have worked with OAuth2 servers before and am familiar with all the spec grant types. But I'm working on an application where I want to use an OpenID service for user authentication to my OAuth2 server.

But the issue is I want an implicit trust with my application and my server, so somewhat like the resource owner password grant. But the issue is im not authenticating with a password I'm authenticating with OpenID provider.

So would I be stuck basically making a custom grant type to deal with this? Is there any future plans to implement such grant type in the spec? Any advice would be really appreciated as I cannot find any relevant information after searching long and hard.

Thanks

1
authenticationoauthoauth-2.0authorizationopenid
Have checked OpenId Connect? It nicely integrates OpenId with OAuth2, but maybe you need something else here.Zólyomi István
I have looked at OpenID Connect and it would be useful if I wanted to be the OpenID provider but I want to authenticate using a 3rd party provider.Brosa

1 Answers

0
votes

The spec has drafted the OAuth assertion flow that is basically meant for authenticating with external providers. The IETF draft can be located here

OAuth Server's that support the assertion flow are (not a complete list):

  1. songkick/oauth2-provider (Ruby)
  2. RangelReale/osin (Golang)