Skip to content

Client can AuthN End User

Jump to bottom Edit New page
Mike Varley edited this page Aug 14, 2020 · 3 revisions

The Authentication/Authorization Server (AS) has a trust relationship with a Client such that the Client is able to authenticate an End-User and then request access to resources (and the AS may decide if its own interaction is required).

This use case is relevant when you have a Client capable of strong local auth (like a mobile App that can do a biometric, or a website capable of webauthN) and the Client is not always required to contact the AS for its business purposes (federated authN is then only required for cases the AS determines it is necessary).

The following model is envisioned:

Day 1

Client to AS: I don't know this end-user, can you AuthN them please? AS to EndUser: auth to me with username/password/otp... EndUser to AS: (credentials) AS to EndUser: Can Client have access to Resources? EndUser to AS: yes. AS to Client: End User Authenticated as "Eugene", here are day 1 access grants Client to EndUser: Eugene, I want to link you to a local auth method EndUser to Client: (credential established).

Day 2

EndUser to Client: I have returned! Client to EndUser: Can you AuthN? EndUser to Client: (credentials) Client to EndUser: Hello Euguene, let me collect your data Client to AS: I have Authenticated Eugene (proof?) and require access to his resources AS to Client: sure, here are day 2 access grants Client to Eugene: all good...

Related Use Cases:

  • Client knows End User
Add a custom footer
Add a custom sidebar
Clone this wiki locally