1

My situation is this. I have a legacy Angular application which calls a Node API server. This Node server currently exposes a /login endpoint to which I pass a user/pwd from my Angular SPA. The Node server queries a local Active Directory instance (not ADFS) and if the user authenticates, it uses roles and privileges stored on the application database (not AD) to build a jwt containing this user's claims. The Angular application (there are actually 2) can then use the token contents to suppress menu options/views based on a user's permissions. On calling the API the right to use that endpoint is also evaluated against the passed in token.

We are now looking at moving our source of authentication to an oAuth2.0 provider such that customers can use their own ADFS or other identity provider. They will however need to retain control of authorization rules within my application itself, as administrators do not typically have access to Active Directory to maintain user rights therein.

I can't seem to find an OIDC pattern/workflow that addresses this use case. I was wondering if I could invoke the /authorize endpoint from my clients, but then pass the returned code into my existing Node server to invoke the /token endpoint. If that call was successful within Node then I thought I could keep building my custom JWT as I am now using a mix of information from my oAuth2 token/userinfo and the application database. I'm happy for my existing mechanisms to take care of token refreshes and revoking.

I think I'm making things harder by wanting to know my specific application claims within my client applications so that I can hide menu options. If it were just a case of protecting the API when called I'm guessing I could just do a lookup of permissions by sub every time a protected API was called.

I'm spooked that I can't find any posts of anyone doing anything similar. Am I missing the point of OIDC(to which I am very new!).

Thanks in advance...

royneedshelp
  • 97
  • 1
  • 9

2 Answers2

1

Good question, because pretty much all real world authorization is based on domain specific claims, and this is often not explained well. The following notes describe the main behaviors to aim for, regardless of your provider. The Curity articles on scopes and claims provide further background on designing your authorization.

CONFIDENTIAL TOKENS

UIs can read claims from ID tokens, but should not read access tokens. Also, tokens returned to UIs should not contain sensitive data such as names, emails. There are two ways to keep tokens confidential:

  • The ID token should be a JWT with only a subject claim
  • The access token should be a JWT with only a subject claim, or should be an opaque token that is introspected

GETTING DOMAIN SPECIFIC CLAIMS IN UIs

How does a UI get the domain specific data it needs? The logical answer here is to send the access token to an API and get back one or both of these types of information:

  • Identity information from the token
  • Domain specific data that the API looks up

GETTING DOMAIN SPECIFIC CLAIMS IN APIs

How does an API get the domain specific data it needs from a JWT containing only a UUID subject claim? There are two options here:

  • The Authorization Server (AS) reaches out to domain specific data at the time of token issuance, to include custom claims in access tokens. The AS then stores the JWT and returns an opaque access token to the UI.

  • The API looks up domain specific claims when an access token is first received, and forms a Claims Principal consisting of both identity data and domain specific data. See my Node.js API code for an example.

MAPPING IDENTITY DATA TO BUSINESS DATA

At Curity we have a recent article on this topic that may also be useful to you for your migration. This will help you to design tokens and plan end-to-end flows so that the correct claims are made available to your APIs and UIs.

EXTERNAL IDENTITY PROVIDERS

These do not affect the architecture at all. Your UIs always redirect to the AS using OIDC, and the AS manages connections to the IDPs. The tokens issued to your applications are fully determined by the AS, regardless of whether the IDP used SAML etc.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • I realise there's no straightforward answer to this but the links above have really helped me on my way and exposed a number of concepts I needed to grasp to come up with architecture. Many thanks for the detailed response. Marking as answer. – royneedshelp Jan 13 '22 at 16:37
0

You'll only get authentication from your OAuth provider. You'll have to manage authorization yourself. You won't be able to rely on OIDC in the SAML response or userinfo unless you can hook into the authentication process to inject the values you need. (AWS has a pre-token-gen hook that you can add custom claims to your SAML response.)

If I understand your current process correctly, you'll have to move the data you get from /userinfo to your application's database and provide a way for admins to manage those permissions.

I'm not sure this answer gives you enough information to figure out how to accomplish what you want. If you could let us know what frameworks and infrastructure you use, we might be able to point you to some specific tools that can help.

kevintechie
  • 1,441
  • 1
  • 13
  • 15
  • Thanks for your reply and offer of assistance. I'm focussing on understanding a bit more about the fundamental concepts I'm dealing with before I take this any further. – royneedshelp Jan 13 '22 at 16:39