Open randomstuff opened 4 months ago
The approach we took (which is malleable, as we want to build a simple and reusable flow with the least assumptions), is to have the least amount of burden on both the client (requesting application) and the RS AS. In doing that, step 3 is fine because right now clients already are registered with the RS AS to request tokens directly and facilitate SSO flows. We wanted to lean into that by shifting as much of the burden to the identity provider, especially since the identity provider has all of the information about the user/organization and their relationships.
I do like the simplicity of the proposed modified scenario and I think we should continue hammering out details to see if this kind of approach could work.
I think we also agree that front loading the client_id
and resource
identifiers for mapping on the identity provider is not ideal. Unfortunately, I also believe requiring the IdP to register a client on every RS AS to do a new on-behalf exchange is not ideal either, especially since that is technically 3rd party to the existing client and AS oAuth registration/trust relationship.
So I've been thinking (more/better) about my modified scenario. Some drawbacks are:
If all AS responsibilities required for a typical OAuth consent flow were shifted to the IdP, then the IdP would become the AS for an intents and purposes, and then the Client would just make a typical request for an access token. No other steps would be needed. This spec is intended to leverage the common scenario where OAuth relationships exist and the AS may be independent of the IdP.
However, I agree it makes sense to think about where changes can be made for the scenario where the relationship might not already exist, so very much appreciate this comment.
For this point:
the client does not need to know that the RS is associated with another domain;
I am not sure I understand if this is true, because the client needs to make the resource request regardless from the RS.
The scenario described works as follows:
A downside of this approach is that in step 3, the client must be registered on the AS.
Why wouldn't/couldn't the AS take care of step 3?
This would make the process simpler for the client:
The fact that the RS is in another domain would be transparent for the client. You could have one deployment where the RS in in the same domain and another deployment where is is in another domain without having to change the client logic.
Modified scenario:
One downside is that from the point of view, the token are issued to the IdP but surely this can be worked-around with some extension.