You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am wanting to exchange my access token for a second access token I can provide to another resource servers.
I am using mod_auth_openidc on the main application to SSO login and get an access token.
It would seem I now need to pass that access token to the back end to conduct an on-behalf-off exchange with the IdP (Entra in this case) to acquire a new access token for a different api://
However this means that I now need to configure the backend with a client secret similar to OIDCCclientsecret or equivalent certificate to allow the back end to interact with the IdP to do the OBO exchange. This seems a bit counter-intuitive given i am trying to constrain all IdP related that information in the mod_auth_openidc configuration and make the backend have require not matching/companion configuration in the IdP.
Am i correct in this thinking? What have been your experience with OBO token exchanges with mod_auth_openidc.
I was thinking mod_sts might be the ticket (or token ;-)) as it would be configured in the same apache virutalhost configuration as mod_auth_openidc so there is a natural 1:1 mapping for IdP application configuration and apache virtual host configuration... alass mod_sts seems to be for another purpose.
Could this be handled in a similar way to mod_sts by having an apache module with a vanity URL to do OBO ticket exchanges and pass the result to the backend or frontend.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am wanting to exchange my access token for a second access token I can provide to another resource servers.
I am using mod_auth_openidc on the main application to SSO login and get an access token.
It would seem I now need to pass that access token to the back end to conduct an on-behalf-off exchange with the IdP (Entra in this case) to acquire a new access token for a different api://
However this means that I now need to configure the backend with a client secret similar to OIDCCclientsecret or equivalent certificate to allow the back end to interact with the IdP to do the OBO exchange. This seems a bit counter-intuitive given i am trying to constrain all IdP related that information in the mod_auth_openidc configuration and make the backend have require not matching/companion configuration in the IdP.
Am i correct in this thinking? What have been your experience with OBO token exchanges with mod_auth_openidc.
I was thinking mod_sts might be the ticket (or token ;-)) as it would be configured in the same apache virutalhost configuration as mod_auth_openidc so there is a natural 1:1 mapping for IdP application configuration and apache virtual host configuration... alass mod_sts seems to be for another purpose.
Could this be handled in a similar way to mod_sts by having an apache module with a vanity URL to do OBO ticket exchanges and pass the result to the backend or frontend.
Beta Was this translation helpful? Give feedback.
All reactions