-
Notifications
You must be signed in to change notification settings - Fork 0
Client can AuthN End User
The Authentication/Authorization Server (AS) has a trust relationship with a Client such that the Client is able to authenticate an End-User and then request access to resources (and the AS may decide if its own interaction is required).
This use case is relevant when you have a Client capable of strong local auth (like a mobile App that can do a biometric, or a website capable of webauthN) and the Client is not always required to contact the AS for its business purposes (federated authN is then only required for cases the AS determines it is necessary).
The following model is envisioned:
Client to AS: I don't know this end-user, can you AuthN them please? AS to EndUser: auth to me with username/password/otp... EndUser to AS: (credentials) AS to EndUser: Can Client have access to Resources? EndUser to AS: yes. AS to Client: End User Authenticated as "Eugene", here are day 1 access grants Client to EndUser: Eugene, I want to link you to a local auth method EndUser to Client: (credential established).
EndUser to Client: I have returned! Client to EndUser: Can you AuthN? EndUser to Client: (credentials) Client to EndUser: Hello Euguene, let me collect your data Client to AS: I have Authenticated Eugene (proof?) and require access to his resources AS to Client: sure, here are day 2 access grants Client to Eugene: all good...
Related Use Cases:
- Client knows End User