0

We want to use an existing server to authenticate requests to a new, second server. Both servers are trusted, proposed workflow is shown below.

We can assume in this example that Server 2 does not have access to Server 1's auth token database.

Auth flow diagram

  1. User sends username / password to server 1, server responds with an auth token.
  2. User requests a resource from server 2, including auth token from server 1
  3. Server 2 checks with server 1 that auth token is valid
  4. If token is valid, server 2 responds with requested resource

Does this flow have a particular name? It doesn't quite seem to match any OAuth flow that I've seen.

Is this flow considered a good idea? If not, what alternative would be recommended?

This flow seems almost identical to that recommended in How should a Facebook user access token be consumed on the server-side? except we're not using Facebook here.

Community
  • 1
  • 1
RYFN
  • 2,939
  • 1
  • 29
  • 40

1 Answers1

0

did you check OAuth 2, I guess that would be more suitable in your requirement.

SecurityNinja
  • 109
  • 3
  • Could you be more specific? Which of the OAuth flows would you recommend? – RYFN Mar 22 '16 at 15:41
  • 1
    section 1.2: Protocol Flow http://tools.ietf.org/html/rfc6749 , hope this will help – SecurityNinja Mar 22 '16 at 15:47
  • The flow mostly depends on the client: is it public or confidential? a script, a native application... Anyway @SecurityNinja is right, the OAuth2 framework protocol should fit on your needs. In the OAuth2 language, the server 1 is the "Authorization Server", the server 2 is the "Resource Server" and the App is the "Client" – Spomky-Labs Mar 22 '16 at 15:58
  • Thanks, I'm aware that the "Resource Owner Password Credentials Grant" flow fits here. However, I'm unclear on how the "Resource Server" communicates with the "Authorization Server"? – RYFN Mar 22 '16 at 16:03
  • The RFC7662 (https://tools.ietf.org/html/rfc7662) may answer this question. It defines a communication protocol to verify the access token is still valid or not. – Spomky-Labs Mar 22 '16 at 16:05
  • @Spomky thanks, you should post these comments as an answer, they were far more helpful than the original. To summarise, the workflow in the original question is essentially "Resource Owner Password Credentials Grant" flow, with separate Authorization and Resource servers. OAuth 2.0 Introspection endpoint could be used for resource server to check tokens with auth server. – RYFN Mar 22 '16 at 16:46