By: Nils Buntenbeck user 10 Mar 2020 at 3:27 a.m. CDT

6 Responses
Nils Buntenbeck gravatar
Hi there, I need to implement some form of delegation using Gluu and I wonder what would be the best way to achieve it. The problem is best described here: https://www.scottbrady91.com/OAuth/Delegation-Patterns-for-OAuth-20 We need something like a custom delegation grant like identityserver provides it or (because standards) the token-exchange mechanism as described here: https://tools.ietf.org/html/rfc8693 So far I have not found any path to solve this, probably I need to edit/create a custom script? But which one? And in what way? Thank you in advance for helping me to find the solution to this :-) Best regards, Nils

By Michael Schwartz staff 10 Mar 2020 at 10:31 a.m. CDT

Michael Schwartz gravatar
That's not quite enough information to figure out what you're trying to do. I'm closing this issue because I can't assign it as is. Add more details, and we can re-open it and assign it if necessary.

By Nils Buntenbeck user 10 Mar 2020 at 11 a.m. CDT

Nils Buntenbeck gravatar
Hi Mike, we talked about this problem briefly when we met in Vienna. I need to realize this situation: https://www.scottbrady91.com/img/oauth/full-delegation.png Client accesses API1 with sub=alice. API1 then needs to access API2 to fulfill the request but on behalf of alice. how can I pass this information to API2? I could use Poor Man's Delegation, but that would be dirty and might have serious security flaws as API1 might get more scopes than it actually needs. Using Client Credentials grant would have me lose the information that API1 acts on behalf of alice. So what is the gluu-way to achieve this? Is this solvable using UMA? Or do I need to hook a script into the process? If so: where? Sorry, I could not explain it in a better way! Thanks in advance :-) Nils

By Michael Schwartz staff 10 Mar 2020 at 11:34 a.m. CDT

Michael Schwartz gravatar
How are you controlling access to API2? Using an API Gateway that filters on scope? Or is API2 introspecting the token?

By Nils Buntenbeck user 10 Mar 2020 at 11:52 a.m. CDT

Nils Buntenbeck gravatar
API2 is introspecting the token. So far we have not planned an API gateway.

By Michael Schwartz staff 10 Mar 2020 at 12:01 p.m. CDT

Michael Schwartz gravatar
Here's a possible solution: 1. Require client authentication for the token introspection API (this is a JSON property for oxAuth) 2. In the introspection script, filter the scope (or other claims) based on the client_id Note: you'll have two access tokens here: one that was sent in the Authorization Header, and another that was sent in the payload (for introspection). Here's an [example](https://github.com/nynymike/api-demo/blob/master/gluu_server_introspection_script.py) of filtering the scopes for a demo I'm working on:

By Nils Buntenbeck user 10 Mar 2020 at 12:09 p.m. CDT

Nils Buntenbeck gravatar
Thank you, Mike :-) I'll dig into that and let you know how far I got with this! Best regards, Nils