Standard Implementation in Getting Access Token and Basic User Information via Resource Owner Password grant with OpenID Connect

0
votes

I want to authenticate a user's user name and password, and upon success, I want to use the token to get basic user information.

The grant type is Resource Owner Password grant with OpenID Connect.

However, there is a difference in how this is implemented in various identity providers. For example, OneLogin requires two requests to get the basic user information. While, Azure AD B2C and IdentityServer4 require one request.

Which implementation is the stardard of OpenID Connect? If OneLogin is used for my project, what best practices are available for platform portability?

OneLogin:

First Request:

Getting Token

Url: https://openid-connect.onelogin.com/oidc/token

Ref: https://developers.onelogin.com/openid-connect/api/password-grant

Result: 

{
"access_token": "example",
"expires_in": 2313232,
"token_type": "Bearer",
"refresh_token": "example"
}

Second Request:

Getting User Info

URL: https://openid-connect.onelogin.com/oidc/me

Ref: https://developers.onelogin.com/openid-connect/api/user-info

Result: 

{
"sub": "123",
"email": "[email protected]",
"preferred_username": "[email protected]",
"name": "My Name",
"updated_at": "2019-03-13T16:11:15Z",
"given_name": "My",
"family_name": "Name"
}
2
asp.net-coreidentityserver4openid-connectazure-ad-b2conelogin
This question is about OneLogin. Add the [onelogin] tag and remove the [identityserver4] and [azure-ad-b2c] tags.Ruard van Elburg
Identityserver4 should also take 2 requests to get both the access token and the data from the user info endpoint. What exactly are you asking here?Randy

2 Answers

0
votes

This is partially down to the "open" definition in OAuth2 around the token definition. In Azure AD, the Access token is a JWT which provides basic user information. Get an access token ( via whichever grant type ) and you have basic user info. In Onelogin ( and other IdPs such as Salesforce ) the access token is just an opaque token that contains no discernable data. It's a token to access resources.

So there's no standard here, but if you're looking for consistency you should assume the access token from any IdP does not contain user information. Either initiate a grant that returns an OIDC token or use the access token to request and API endpoint that returns user information. Note, the Resource Owner Password Grant should with an openid scope should return an id_token which includes your basic user information.

This ( new tool ) should help clarify as well https://youtu.be/do0agd71hE8

0
votes

I would suggest sending the Identity Token to the resource server usually your api server( it take it you in you intend to secure this ?. As the Identity Token is a JWT this can be validated locally on every call on your resource server/api server. You can use the opaque bearer token initially to obtain info from the userinfo_endpoint about the user. Since the bearer token is opaque there is little point passing this to your api / resource server since you have no means of validating it. There is a big discussion IdToken vs AccessToken sent to Resource Server It is not normal to send the id token to the resource server, but since the bearer token is opaque and can not be validated locally you have little choice