Embedded OAuth2 app - parent application auto sign-in
Our application is authenticated using OAuth2/OIDC by an implementation of IdentityServer4.
Normally, users sign in via implicit flow, through the browser.
We would like third-party applications to be able to embed ours, and thus must be able to sign in silently to ours. We cannot rely on the third-party application using OAuth for its own authentication; SSO is not an option.
What I intend to to do is assign each third-party client a Client ID and secret. The third-party app would request an access token (on the server-side channel) using these client credentials and an additional user ID claim to be embedded in the token. This access token could then be included in the implicit flow login request. If present, normal implicit flow would be skipped, and it would authenticate using the user id in the token.
Is this a valid means of achieving silent authentication from a third-party application? Is there another flow which I should use to achieve this?
I am aware that questions regarding impersonation (if that what this is) have been asked before (such as IdentityServer4 - How to Implement Impersonation).
However I seek clarification that my approach above is right/wrong.
Many thanks in advance.
oauth-2.0 identityserver4 oidc
add a comment |
Our application is authenticated using OAuth2/OIDC by an implementation of IdentityServer4.
Normally, users sign in via implicit flow, through the browser.
We would like third-party applications to be able to embed ours, and thus must be able to sign in silently to ours. We cannot rely on the third-party application using OAuth for its own authentication; SSO is not an option.
What I intend to to do is assign each third-party client a Client ID and secret. The third-party app would request an access token (on the server-side channel) using these client credentials and an additional user ID claim to be embedded in the token. This access token could then be included in the implicit flow login request. If present, normal implicit flow would be skipped, and it would authenticate using the user id in the token.
Is this a valid means of achieving silent authentication from a third-party application? Is there another flow which I should use to achieve this?
I am aware that questions regarding impersonation (if that what this is) have been asked before (such as IdentityServer4 - How to Implement Impersonation).
However I seek clarification that my approach above is right/wrong.
Many thanks in advance.
oauth-2.0 identityserver4 oidc
add a comment |
Our application is authenticated using OAuth2/OIDC by an implementation of IdentityServer4.
Normally, users sign in via implicit flow, through the browser.
We would like third-party applications to be able to embed ours, and thus must be able to sign in silently to ours. We cannot rely on the third-party application using OAuth for its own authentication; SSO is not an option.
What I intend to to do is assign each third-party client a Client ID and secret. The third-party app would request an access token (on the server-side channel) using these client credentials and an additional user ID claim to be embedded in the token. This access token could then be included in the implicit flow login request. If present, normal implicit flow would be skipped, and it would authenticate using the user id in the token.
Is this a valid means of achieving silent authentication from a third-party application? Is there another flow which I should use to achieve this?
I am aware that questions regarding impersonation (if that what this is) have been asked before (such as IdentityServer4 - How to Implement Impersonation).
However I seek clarification that my approach above is right/wrong.
Many thanks in advance.
oauth-2.0 identityserver4 oidc
Our application is authenticated using OAuth2/OIDC by an implementation of IdentityServer4.
Normally, users sign in via implicit flow, through the browser.
We would like third-party applications to be able to embed ours, and thus must be able to sign in silently to ours. We cannot rely on the third-party application using OAuth for its own authentication; SSO is not an option.
What I intend to to do is assign each third-party client a Client ID and secret. The third-party app would request an access token (on the server-side channel) using these client credentials and an additional user ID claim to be embedded in the token. This access token could then be included in the implicit flow login request. If present, normal implicit flow would be skipped, and it would authenticate using the user id in the token.
Is this a valid means of achieving silent authentication from a third-party application? Is there another flow which I should use to achieve this?
I am aware that questions regarding impersonation (if that what this is) have been asked before (such as IdentityServer4 - How to Implement Impersonation).
However I seek clarification that my approach above is right/wrong.
Many thanks in advance.
oauth-2.0 identityserver4 oidc
oauth-2.0 identityserver4 oidc
asked Nov 20 at 15:26
Paul Guz
7119
7119
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53396277%2fembedded-oauth2-app-parent-application-auto-sign-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53396277%2fembedded-oauth2-app-parent-application-auto-sign-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown