Skip to content

Commit

Permalink
Clarify resource server as client (#118)
Browse files Browse the repository at this point in the history 
* Clarify resource server as client

Modified diagram and added additional text to describe the resource server acting as a client.

* Updated based on feedback from Kelley

Related to issue #122
  • Loading branch information
@PieterKas
PieterKas authored Jan 9, 2025
1 parent 6be8a31 commit 9f85675
Showing 1 changed file with 12 additions and 11 deletions.
23 changes: 12 additions & 11 deletions draft-ietf-oauth-identity-chaining.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,19 +306,20 @@ This section contains two examples, demonstrating how this specification may be

## Resource server acting as client

Resources servers may act as clients if the following is true:
As part of completing a request, a resource server in Domain A may need to access a resource server in Domain B. This requires the resource server in Domain A to obtain an Access Token from an authorization server in Domain B, which it may then be presented to the resource server in Domain B. A Resource server in Domain B may use the flows described in this specification by assuming the role of a client when attempting to access the resource server in Domain B. Resources servers may act as clients if the following is true:

* Authorization Server B is reachable by the resource server by network and is able to perform the appropriate client authentication (if required).
* The resource server has the ability to determine the authorization server of the protected resource outside its trust domain.
* Authorization Server B is reachable by the resource server and is able to perform the appropriate client authentication (if required).

The flow would look like this:

~~~
+-------------+ +--------+ +-------------+ +---------+
|Authorization| |Resource| |Authorization| |Protected|
|Server | |Server | |Server | |Resource |
|Domain A | |Domain A| |Domain B | |Domain B |
+-------------+ +--------+ +-------------+ +---------+
+-------------+ +---------------+ +-------------+ +---------+
|Authorization| |Resource Server| |Authorization| |Protected|
|Server | |Domain A | |Server | |Resource |
|Domain A | |(acting as | |Domain B | |Domain B |
| | | Client) | | | | |
+-------------+ +---------------+ +-------------+ +---------+
| | | |
| | (A) request protected resource |
| | metadata |
Expand All @@ -331,15 +332,15 @@ The flow would look like this:
| | | |
| (C) <authorization | | |
| grant> | | |
| - - - - - - - - - ->| | |
| - - - - - - - - - >| | |
| | | |
| | (D) present | |
| | authorization | |
| | grant [RFC 7523] | |
| | ------------------->| |
| |-------------------->| |
| | | |
| | (E) <access token> | |
| | <- - - - - - - - - -| |
| |<- - - - - - - - - - | |
| | | |
| | (F) access |
| | --------------------------------->|
Expand All @@ -350,7 +351,7 @@ The flow would look like this:

The flow contains the following steps:

(A) The resource server of domain A needs to access protected resource in Domain B. It requires an access token to do so which it does not possess. In this example {{I-D.ietf-oauth-resource-metadata}} is used to receive information about the authorization server which protects the resource in domain B. This step MAY be skipped if discovery is not needed and other means of discovery MAY be used. The protected resource returns its metadata along with the authorization server information.
(A) The resource server of Domain A needs to access protected resource in Domain B. It requires an access token to do so which it does not possess. In this example {{I-D.ietf-oauth-resource-metadata}} is used to receive information about the authorization server which protects the resource in domain B. This step MAY be skipped if discovery is not needed and other means of discovery MAY be used. The protected resource returns its metadata along with the authorization server information.

(B) Now, after the resource server has identified the authorization server for Domain B, the resource server requests a JWT authorization grant for the authorization server in Domain B from its own authorization server (Domain A). This happens via the token exchange protocol.

Expand Down

0 comments on commit 9f85675

Please sign in to comment.