Can I be logged into the OP, and have it send the token direct to the RP?

[DanielNewmanUK]

This is clearly a question on the fundamentals of OIDC, and not so much your software. However, I'm hoping you can help.

As the title states, I want to send either a token to the RP and have it validate the token, or I want to send a command to the RP so it knows which OP to use.

The use-case in question would be for an RP having multiple OIDC OPs configured. I want my user to be already logged into the OP, and for them to navigate to the RP and be authorized. I don't want the user to initiate an OIDC token request from within the RP. Can this be automated in some way?

All documentation states that it's the RP which initiates the process. I wish for the OP to initiate the process, as you can from an SSO IdP.

Many thanks

[RolandGuijt]

OIDC is designed around the principle that the RP initiates a token request. For what you are referring to as "SSO IdP" this also is the case. It's just a normal OP with multiple RPs configured. When RP A initiates user authentication a session cookie is set which is then recognized when RP B authenticates in the same browser skipping login. But the RP still initiates the process.

Multiple OPs per RP aren't directly supported. But OPs can be a federation gateway and have external identity providers configured. Determining the best IdP for the user is called Home Realm Discovery. Users could be given the choice where to login (OP local account or external IdP) on the login screen for example. Or if the requirement is that certain RPs should always use a specific IdP (users don't get to choose) this can be done using the idp parameter on acr_values. We have a doc page on that here with more possibilities to do Home Realm Discovery.

[DanielNewmanUK]

Thank you for the response @RolandGuijt. Unfortunately I didn't receive a notification so I've just seen this.

I can see from the OIDC Authorization Code Flow that the RP initiates the auth request, the OP authenticates the user and authorizes the request, and responds back to the RP with an Authorization Code. It is this Authorization Code that I wish to send direct to the RP without the initial request from it. Is this possible?

If not, is there a way to send a request to the RP from the OP with a hint as to which OP it should send its auth request to? I realise this isn't best practice, and I will read the Home Realm Discovery link you provided.

Many thanks.

[DanielNewmanUK]

I've just seen within the Federation gateway link that "the client application can give a hint to the gateway via a custom protocol parameter of IdentityServer’s built-in support for the idp parameter on acr_values." This sounds perfect. I will investigate this option.

[AndersAbel]

OpenID Connect requires all login flows to be initiated from the client (RP) to be able to implement proper cross site request forgery protection on the login flow. To give the user the experience of Idp-initiated flow there is a section in the OIDC spec that describes how an OpenID Provider can redirect to a client and instruct the client to initiate the login flow, see https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin

[RolandGuijt]

@DanielNewmanUK Did the information we gave you answer your questions? If so I would like to close the issue.