Identity Patterns with the WSO2 Identity Server
Access a microservice from a web app protected with SAML 2.0 or OIDC
Problem:
Access a microservice from a web app protected with SAML 2.0 or OIDC
Problem:
- The business users need to access multiple service providers, supporting SAML 2.0 and OIDC-based authentication.
- Once the user logs into the web app, it needs to access a microservice on behalf of the logged in user.
- Deploy WSO2 Identity Server as the Identity Provider and register all the service providers with OIDC or SAML 2.0 as the inbound authenticator.
- Enable JWT-based access token generator in the WSO2 Identity Server.
- Develop and deploy all the microservices with WSO2 MSF4J.
- If the service provider supports SAML 2.0 based authentication, once the user logs into the web app, exchange the SAML token to an OAuth access token by talking to the /token endpoint of the WSO2 Identity Server, following the SAML 2.0 grant type for OAuth 2.0 profile. This access token itself is a self-contained JWT.
- If the service provider supports OIDC based authentication, once the user logs into the web app, exchange the ID token to an OAuth access token by talking to the /token endpoint of the WSO2 Identity Server, following the JWT grant type for OAuth 2.0 profile. This access token itself is a self-contained JWT.
- To access the microservice, the pass the JWT (or the access token) in the HTTP Authorization Bearer header over TLS.
- MSF4J will validate access token (or the JWT) and the token will be passed across all the downstream microservices.
- More about microservices security: https://medium.com/@prabath/securing-microservices-with-oauth-2-0-jwt-and-xacml-d03770a9a838
- Products: WSO2 Identity Server 5.1.0+, WSO2 MSF4J
