OIDC OAuth 2.0 Authentication and Authorization

0
votes

We have our APP registered in OIDC using 2L auth type. Do we have to share our client ID and Secret to consumer apps to access our API?

I understand that OAuth 2.0 client credentials grant flow permits a client to use its own credentials, instead of impersonating a user, to authenticate.

And since many consumers will be accessing our API, instead of sharing our client credentials can we authorize who we can allow access our API. Is there any ACL in OIDC where we can grant access to consumer A and not Consumer B, assuming both A and B are registered their apps in OIDC.

1
restoauth-2.0openid-connect

1 Answers

1
votes

The Oauth 2.0 specification has defined the concept scope, which is used to express the authorization of access token.

So in Oauth 2.0, the "ACL" you mentioned above is expressed by scope. When you register one client at IdP, you have to specify scope of that client, that scope is "where we can grant access to consumer A and not Consumer B".

Your API (resource server) will be designed so that the endpoint will accepts request has access token with proper scope.

For example:

Register clients: client A (scope = email), client B (scope = address)

Get access token for each client (by client_credential flow): access_token_A, access_token_B

Your API: endpoint1 - (authorized by email scope). So when you sent two request, one with access_token_A and one with access_token_B, the former request will be success (proper scope) and later will be failed.

References:

[https://www.oauth.com/oauth2-servers/the-resource-server/][1]

https://tools.ietf.org/html/rfc6749