Claims based access control - how to implement 'System' user?

Question

There are three communicating parties in our system:

• Frontend
• Service A
• Service B

plus we have stand-alone security token service, our identity provider.

Authenticated user interacts with Frontend, it calls Service A, which in turn calls Service B. User's access token is passed through this pipeline using "poor's man identity delegation". Service A and Service B authorize (or not authorize) user's actions based on claims in passed identity. Everybody is happy!

But now I ran into situation when Service A has no user context during operation. It happens:

• during startup
• when Service A processes message from message bus
• when timer fires

In each cases Service A needs to call Service B to obtain some data, but it receives 401, because no access token passed to Service B.

Are there any best practices how to handle such situation? The only idea I have in my head now is to register 'System' user (possible user per Service A, Service B, Service C etc.) in our identity provider, obtain access token for this user and use it in cases described above. But I smells bad for me and I'm looking for alternative ideas.

Any suggestions would be appreciated. Thank you!

Answer 1

Short answer would be: If you have no one to Act As then Act as yourself.

Even when using "poor's man identity delegation" Service A authenticates at STS using some sort of mechanism. In the link you posted a certificate is being used. So implement a new way of getting token. You already have a method which gets ActAs token so now you need to implement a method that will get user token (for Service A).

Your STS should already know this "system" user because it is allowing him to request ActAs tokens. You just need to assign some claims to the system user that will define what it can do even when it is not acting on behalf of a any user.