Trust-Based Identity Sharing For Token Grants

TL;DR

This paper introduces a client-centric extension to OpenID Connect that enables secure identity sharing across different identity providers, simplifying access to resources in multi-domain environments.

Contribution

It proposes a novel extension to OpenID Connect allowing clients to exchange identity information with trusted providers, reducing the need for multiple identity store integrations.

Findings

Enables cross-domain resource access with a single token

Reduces complexity of managing multiple identity providers

Maintains security and trust in identity exchanges

Abstract

Authentication and authorization are two key elements of a software application. In modern day, OAuth 2.0 framework and OpenID Connect protocol are widely adopted standards fulfilling these requirements. These protocols are implemented into authorization servers. It is common to call these authorization servers as identity servers or identity providers since they hold user identity information. Applications registered to an identity provider can use OpenID Connect to retrieve ID token for authentication. Access token obtained along with ID token allows the application to consume OAuth 2.0 protected resources. In this approach, the client application is bound to a single identity provider. If the client needs to consume a protected resource from a different domain, which only accepts tokens of a defined identity provider, then the client must again follow OpenID Connect protocol to obtain new tokens. This requires user identity details to be stored in the second identity provider as well. This paper proposes an extension to OpenID Connect protocol to overcome this issue. It proposes a client-centric mechanism to exchange identity information as token grants against a trusted identity provider. Once a grant is accepted, resulting token response contains an access token, which is good enough to access protected resources from token issuing identity provider's domain.