0

Is there a standard HTTP Authentication scheme which is appropriate to use with OpenID Connect? The scenario I have in mind is as follows:

An HTTP Service requires authentication of users. One of the possible authentication methods is to use a federated identity from a 3rd party OpenID Provider. The Service is registered with the 3rd party OpenID Provider as a confidential client, and possesses a client_id and a client secret.

When a user tries to access the HTTP Service, the server responds with a 401 Unauthorized and a WWW-Authenticate header containing information about how to initiate an authentication request with the OpenID Provider:

WWW-Authenticate: OpenIDConnect realm="MyService", client_id="1234-5678", authorization_url="https://provider/authorize"

The client contacts the authorization endpoint, authenticates, and then obtains an authorization code. The code is then specified in a subsequent request to the Service via the Authorization header, e.g.:

GET / HTTP/1.1

Authorization: OpenIDConnect client_id="1234-5678", code="AAABAAA..."

The Service will use the code to obtain an ID Token from the OpenID Provider and establish an authenticated session with the client, e.g. by setting a cookie or returning a new set of credentials to use for subsequent requests.

The OpenIDConnect scheme is something I made up for this example. I have tried searching for a standard way to do something similar, and the absence of results has left me with the following possible answers:

  1. I have not searched hard enough.
  2. What I am trying to do is misguided and wrong.
  3. Everybody implements their own custom authentication schemes for this purpose
Ulrik Rasmussen
  • 1,098
  • 1
  • 8
  • 25

1 Answers1

0

I think you did not know where to look for in the first place. Since RFC 7353, authentication schemes in HTTP are subject to the IANA HTTP Authentication Scheme Registry. In said registry, you are going to find the OAuth scheme which is subject to RFC 5849, section 3.5.1 and is looking a lot like what you are looking for. That being said, however, this is for OAuth 1.0. OAUth 2.0 is resorting to the Basic (RFC 6749) and Bearer (RFC 6750) schemes.

This in its entirety is concernig authorization (via OAuth). OpenID's realm is authentication, though. You may want to look at What's the difference between OpenID and OAuth?

Community
  • 1
  • 1
DaSourcerer
  • 6,288
  • 5
  • 32
  • 55
  • Thanks. Since OpenID Connect is based on OAuth 2.0, I suppose that an OAuth 1.0 scheme would be inappropriate to use for my purpose. I think `Bearer` is inappropriate for two reasons: (1) it is for OAuth 2.0 access tokens, whereas what I need in the end is an id_token (as you pointed out, I am interested in authentication rather than authorization); and (2) I need to send an authorization code, not a token. I am effectively looking for a scheme that can be used to transfer an authorization code from a User Agent to a Confidential Client, as described in the OIDC Core spec. – Ulrik Rasmussen Feb 15 '17 at 15:39
  • But anyway, since the registry you linked to does not contain anything appropriate for my exact use case, I guess the answer is that no standard scheme has been defined. – Ulrik Rasmussen Feb 15 '17 at 15:42
  • @UlrikRasmussen Perhaps [this guide](http://openid.net/specs/openid-connect-basic-1_0.html) is of help to you? (Note [this part](http://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest)) But you are right: There is no auth scheme specifically reserved for OpenID Connect. – DaSourcerer Feb 15 '17 at 20:04