authn on RP with ID token ? #973
Replies: 3 comments 2 replies
-
you can use |
Beta Was this translation helpful? Give feedback.
-
Oh yes I forget to mention I have already tested this setting: |
Beta Was this translation helpful? Give feedback.
-
I removed a big size claim, to not appear in user info endpoint anymore. |
Beta Was this translation helpful? Give feedback.
-
I'm wondering:
After successful auth to OP, end-user pass authorization code to RP.
RP retrieves an ID token and Access token from OP.
Finally, RP gives to end-user a session cookie to perform further calls to it, without need to make full OIDC flow again.
In a Apache muti-instance setup, this cookie must be server-side cached and shared by Memcache or Redis.
But in a large environment, we can have hundred or thousand vhosts/websites on multiples hosts, it was not a problem with a "legacy" basic auth, like authnz_ldap module, which doesn't require shared cache.
So migrating legacy authn/authz to OIDC requires to setting up a shared cache for each website ? If yes, It's a tedious process !
My question is:
is it possible to authenticate users to RP with the ID token ? If yes, how auth_openid module can pass ID token to end-user/browser ?
The advantage to use OIDC ID token instead Apache internal session cookie is obvious for me:
But maybe I'm wrong with ID token usage. If someone could clarify... thanks.
Beta Was this translation helpful? Give feedback.
All reactions