How to organize complex authorization with openid connect?

A

Alexander Wolf2018-10-29 13:32:40

JavaScript

Alexander Wolf, 2018-10-29 13:32:40

Good afternoon, colleagues! I have a problem, but I still can not figure out how to solve it correctly.
Introductory: there is a partner with which users are synchronized. Read - they give us ID, email and name sometimes. Users who log in via OpenID Connect work in their system.
We also have a system in which these users must do some actions that we must save and bind to user IDs. We set up authorization via OpenID Connect, forward the user to them (there, for example, he is already authorized). The user flies to us, we have his Access Token, Refresh Token, ID and other stuffing. But we also have our own authorization server (also OpenID Connect), where the user must also log in.
It turns out that we need to set up such a bundle: the user logs in with them => flies to us, passing his ID => logs in with us immediately by this ID.
Total question: how to implement this last point correctly? That is, you can bypass OpenID, which works for us and enable authorization only by this ID from a partner, but this is somehow not safe or something. Are there any mechanisms that allow you to combine 2 OpenID Connect servers without affecting the partner's server?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

I

Ivan Shumov, 2018-10-29
@mannaro

You get all this stuffing - access token, refresh token, id token (you have OIDC). You save it in the system, you take the user data from the token ID, create it in your system (if it wasn’t there before) and automatically log him in for the life of the token. On each of your systems separately. This is how SSO works. You don't need a second OpenID server for this operation. As a last resort you can use Federation