'Lookup resource servers with OpenID Connect / OAuth2

We are planning to use OpenID Connect / OAuth2 to handle access to a list of resource servers.

We want to use JWT as access token when a user is going to call one of the resource servers. The access token will be issued by an auth server in our landscape according to OpenId Connect / OAuth2 standards. Access will be granted or rejected to the calling user based on the JWT access token.

The standards are new for us so we are still reading and understanding.

We are currently searching for an option to do a lookup of the resource servers with a call to auth server. We would like to use it in order to simplify the clients.

Is there any option available in OpenId Connect / OAuth2 to help clients finding the available resource server? Is there any endpoint available in auth server to do that? Or can the answer with the JWT be enhanced to return the list of the resource servers?

Thanks in advance Thorsten

oauth-2.0openid-connect


Solution 1:[1]

With the use of JWT, there is no need to go for one extra validation from the authorization server. Token & its claims should be enough to validate the access rights. You can customized the token claims as per the needs.

Solution 2:[2]

An Authorization Server does not know the list of APIs, since APIs are not usually registered as clients. There are some related concepts though. The IAM Primer article has a good overview on how these concepts fit together.

  • Each API covers an area of data and this maps neatly to the OAuth Scopes included in access tokens.

  • Each API has an audience, such as api.mycompany.com, which maps to the aud claim in an access token. This can enable related APIs to forward the same access token to each other and securely maintain the original caller's identity.

  • An API gateway is usually hosted in front of APIs, as a hosting best practice. This enables clients to use a single, easy to manage, API base URL, such as https://api.mycompany.com, followed by a logical path.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 harry
Solution 2 Gary Archer

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

What is the best approach to logout from keycloak after authentication via pkce?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

What are the default Lifetime values for openiddict tokens

Web API with Microsoft Identity Platform Authentication

RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC

Blazor WebAssembly Hosted on IIS - only API is working

OpenIdConnectProtocolValidator - nonce error

Logout from Keycloak does not logout Active Directory User

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

How to configure Keycloak to work with Guacamole's OpenID plugin?

Web App SPA & OIDC: How to properly authenticate before accessing the front?

Null Reference Exception when calling GraphServiceClient from a .net core Razor application that uses OpenIdConnect