Trust-Based Identity Sharing For Token Grants

Abstract: Authentication and authorization are two key elements of a software application. In modern day, OAuth 2.0 framework and OpenID Connect protocol are widely adopted standards fulfilling these requirements. These protocols are implemented into authorization servers. It is common to call these authorization servers as identity servers or identity providers since they hold user identity information. Applications registered to an identity provider can use OpenID Connect to retrieve ID token for authentication. Access token obtained along with ID token allows the application to consume OAuth 2.0 protected resources. In this approach, the client application is bound to a single identity provider. If the client needs to consume a protected resource from a different domain, which only accepts tokens of a defined identity provider, then the client must again follow OpenID Connect protocol to obtain new tokens. This requires user identity details to be stored in the second identity provider as well. This paper proposes an extension to OpenID Connect protocol to overcome this issue. It proposes a client-centric mechanism to exchange identity information as token grants against a trusted identity provider. Once a grant is accepted, resulting token response contains an access token, which is good enough to access protected resources from token issuing identity provider's domain.