Scenario: openid-connect based social login for SPA.
Case 1: In case of an SPA which has registered as an OAuth 2.0 client with Social Authentication Provider (ex. Google) the OAuth/OIDC roles map like this:
- Resource Owner = Authenticating User
- Client = SPA
- Authorization Server = Social Authentication Provider (ex. Google)
- Resource Server = Social Authentication Provider (ex. Google)
Case 2: Now, let's consider the case of Social Authentication for an SPA using an IDaaS (ex. Okta/Auth0). IDaaS has registered an OAuth 2.0 client with Social Authentication Provider (ex. Google) and SPA has registered an OAuth 2.0 client with IDaaS.
Question: Is this use case a combination of two OIDC flows (nested?)
Flow 1:
- Resource Owner = Authenticating User
- Client = IDaaS (ex. Okta)
- Authorization Server = Social Authentication Provider (ex. Google)
- Resource Server = Social Authentication Provider (ex. Google)
(at this point Social Provider has asserted id_token (iss=Google, aud=IDaaS) to IDaaS redirect_uri)
Flow 2:
- Resource Owner = Authenticating User
- Client = SPA
- Authorization Server IDaaS (ex. Okta)
- Resource Server: IDaaS (ex. Okta)
(finally, IDaaS has asserted id_token (iss=IDaaS, aud=SPA) to SPA redirect_uri, and at this point authentication to SPA is complete).
Is the above understanding correct?
Also, is there a standard OIDC/OAuth pattern for this kind of an architecture which involves use of an IDaaS as an identity broker?