I'm using mitreid-connect as an internal idp.
One of the required features is to allow users to authenticate via 3rd party idps like azure while still creating an internal token after the authentication (chained with the original one).
From what I've understood I need to add the client library to my local mitreid implementation and redirect to /openid_connect_login with an iss parameter pointing to the 3rd party idp.
The login via 3rd party works perfectly fine but I don't see how I can transparently support the authorization code flow and not sure if it is supported in mitreid today or requires some development (I'm willing to contribute code if required) i.e. when user is redirected via the /openid_connect_login to the 3rd party login page and authenticated I want mitreid to return the 3rd party code to the SP (e.g. api gateway) that will call mitreid /token endpoint which will be internally delegated to the 3rd party /token one, get the user info & access token and create new internal chained token on top of them.
In other words, it should behave kind like a proxy when authenticating via 3rd party idps, I'm aware of the token-exchange grant type (which is not yet implemented with mitreid) but as far as I understand it requires an extra call to the /token endpoint from the SP which I'd like to avoid.
Any direction of how mitreid can be used in such way or suggestion to implementation would be highly appreciated.
Hi,
I'm using mitreid-connect as an internal idp. One of the required features is to allow users to authenticate via 3rd party idps like azure while still creating an internal token after the authentication (chained with the original one).
From what I've understood I need to add the client library to my local mitreid implementation and redirect to /openid_connect_login with an iss parameter pointing to the 3rd party idp.
The login via 3rd party works perfectly fine but I don't see how I can transparently support the authorization code flow and not sure if it is supported in mitreid today or requires some development (I'm willing to contribute code if required) i.e. when user is redirected via the /openid_connect_login to the 3rd party login page and authenticated I want mitreid to return the 3rd party code to the SP (e.g. api gateway) that will call mitreid /token endpoint which will be internally delegated to the 3rd party /token one, get the user info & access token and create new internal chained token on top of them.
In other words, it should behave kind like a proxy when authenticating via 3rd party idps, I'm aware of the token-exchange grant type (which is not yet implemented with mitreid) but as far as I understand it requires an extra call to the /token endpoint from the SP which I'd like to avoid.
Any direction of how mitreid can be used in such way or suggestion to implementation would be highly appreciated.