Oauth2 with OpenId connect
Question
I am asking you today because I am at a dead end. I have missed piece in the logic of Oauth2 and OpenID connect in apigee.
I understand that an application request Openid connect to have the profile of the loggedin user and that OAuth2 offers a way for an application to access a protected resource via an access token.
Now we take a scenario where a protected resource needs to verify that the logged in user is himself that has taken the authorization token, is this illustration that I have done here is good or I make things complicated?
1 answers
solution1
2 ACCPTED 2017-12-02 20:42:12
From my understanding, what you have missed is the introspection endpoint .
This endpoint is designed for resource servers. It allows them to get details about the access token used by the client. If the access token is active, you will receive claims about it and especially the sub claim that represents the resource owner (ie the user in your use case).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.