0

I've asked this question about doing a similar thing with SAML tokens. I only point to this question so you understand what I am looking for. In simple words - WebAPI-to-WebAPI authentication. Something like this

Here I am trying to achieve the same thing with OpenID Connect. Bottom line, I want to supply the credentials to the OpenId Authentication server and retrieve a token, which I can then parse and get claims out of it. All in code.

I see a lot of this kind stuff

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=424911365001.apps.googleusercontent.com&
  scope=openid%20email&
  redirect_uri=https%3A//oauth2.example.com/code&
  state=security_token%3D138r5719ru3e1%26url%3Dhttps%3A%2F%2Foauth2-login-demo.example.com%2FmyHome&
  login_hint=jsmith@example.com&
  nonce=0394852-3190485-2490358&
  hd=example.com

But I am not getting, how to logon any given user programmatically?

T.S.
  • 18,195
  • 11
  • 58
  • 78

1 Answers1

1

There's a different flow called client credentials flow that allows one service to get a token to use against an API. But this only supposed to be used for machine-to-machine communication and in this flow there is no user involved

https://identity.tn-data.se/authorize?grant_type=client_credentials
&client_id=1234567
&client_secret=XXXXXXX
&scope=payment.readonly
Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thank you. I am going to try. So, you're saying that there is no API that I can supply client credentials? Like I do in OKTA SAML? Do you know by chance it OKTA supports this? (although this part I can research). I was hoping for more general solution. – T.S. Sep 18 '22 at 17:50
  • Your uses usually needs to consent to the scopes that the client requests access to. Also, one of the goals of OAUth/OpenIDConnect is that the client never want to or should see the user username/password. If you store user credentials in the client, then you are on the wrong path. – Tore Nestenius Sep 18 '22 at 18:22
  • Also, what do you mean with client credentials? do you mean username/password of a user or clientID and ClientSecret? – Tore Nestenius Sep 18 '22 at 18:23
  • I mean username/password. *"If you store user credentials in the client, then you are on the wrong path."* - I am not storing it but rather passing to the next service. In our case the users are our domain users and not some outside people. But you have a great point here. This is something that currently works in OKTA/SAML. I need to check if OKTA/OpenID has a similar API. But if OKTA does but other OpenID providers don't, it defeats the purpose. Although we will have this option for OKTA. – T.S. Sep 19 '22 at 00:42
  • Today, 2022, it is in general a bad idea to pass username/passwords across systems. Better to have a credential between the services and then pass the userID as a parameter across the services, not their passwords. – Tore Nestenius Sep 19 '22 at 06:56