[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam-dev
Subject: [OpenAM-dev] Request OAuth2 access token with an existing token id
From: MBurgers () delta ! nl (Burgers, Martijn)
Date: 2014-02-26 10:44:25
Message-ID: 86F4368674B3B94D98B157B2C75A80711D477183 () SVDLTEXCP0001 ! delta-zld ! nl
[Download RAW message or body]
Hi,
Is it possible to request an OAuth2 access token with an existing token id only, \
which was originally issued during a SAML Web Browser SSO?
We already use SAMLv2 (Web Browser SSO profile) to setup a trust between service \
providers and identity providers and to delegate the authentication of the user.
So the user is already logged in on the service provider and has a active session on \
both entities. Now we want to add a JavaScript client application to the web pages of \
the service provider. This JavaScript application will need to make cross domain \
calls to a REST API other than OpenAM REST API. The REST API is controlled by our \
self and will not be public.
I am planning to use OAuth2 for authorizing the user for the REST API, but I am open \
for other suggestions as well. Because the user is already authenticated through \
SAMLv2, I don't want the consent part of OAuth2.
To make the call to the REST API in another domain I need to supply the OAuth2 access \
token, that the resource server (REST API) can validate against the OpenAM \
Authorization Server.
So again, is this a possible use case? I know that OpenAM supports SAML 2.0 Bearer \
Assertion Profiles (http://docs.forgerock.org/en/openam/11.0.0/admin-guide/index/chap-oauth2.html#oauth2-saml2-bearer) \
but that forces me to expose the SAML token to the JavaScript application which I \
obviously don't want.
Thanks in advance,
Martijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam-dev/attachments/20140226/8618dd04/attachment.html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic