How to detect which identity provider send a response












0















Currently, I'm trying to implement an OpenID Connect solution which supports multiple identity providers. I chose to use the authorization code flow for this.



When the user opens the login screen the logo's of the supported identity providers are visible. When a logo/identity provider is clicked the system will store the necessary cookies and will redirect the user to the identity provider.



The response of the identity provider contains the following information:




  1. Authorization code

  2. Session_state

  3. State

  4. Scope


Now if I want to make a token request I don't know which identity provider to use. Some things I thought of two things to solve this issue:




  1. Using the UrlReferrer

  2. Storing the used provider in the cookies(Encrypted).


Does anyone know how to solve this problem?






single-sign-on oidc







share|improve this question





























    0















    Currently, I'm trying to implement an OpenID Connect solution which supports multiple identity providers. I chose to use the authorization code flow for this.



    When the user opens the login screen the logo's of the supported identity providers are visible. When a logo/identity provider is clicked the system will store the necessary cookies and will redirect the user to the identity provider.



    The response of the identity provider contains the following information:




    1. Authorization code

    2. Session_state

    3. State

    4. Scope


    Now if I want to make a token request I don't know which identity provider to use. Some things I thought of two things to solve this issue:




    1. Using the UrlReferrer

    2. Storing the used provider in the cookies(Encrypted).


    Does anyone know how to solve this problem?






    single-sign-on oidc







    share|improve this question



























      0












      0








      0








      Currently, I'm trying to implement an OpenID Connect solution which supports multiple identity providers. I chose to use the authorization code flow for this.



      When the user opens the login screen the logo's of the supported identity providers are visible. When a logo/identity provider is clicked the system will store the necessary cookies and will redirect the user to the identity provider.



      The response of the identity provider contains the following information:




      1. Authorization code

      2. Session_state

      3. State

      4. Scope


      Now if I want to make a token request I don't know which identity provider to use. Some things I thought of two things to solve this issue:




      1. Using the UrlReferrer

      2. Storing the used provider in the cookies(Encrypted).


      Does anyone know how to solve this problem?






      single-sign-on oidc







      share|improve this question
















      Currently, I'm trying to implement an OpenID Connect solution which supports multiple identity providers. I chose to use the authorization code flow for this.



      When the user opens the login screen the logo's of the supported identity providers are visible. When a logo/identity provider is clicked the system will store the necessary cookies and will redirect the user to the identity provider.



      The response of the identity provider contains the following information:




      1. Authorization code

      2. Session_state

      3. State

      4. Scope


      Now if I want to make a token request I don't know which identity provider to use. Some things I thought of two things to solve this issue:




      1. Using the UrlReferrer

      2. Storing the used provider in the cookies(Encrypted).


      Does anyone know how to solve this problem?






      single-sign-on oidc




      single-sign-on oidc






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 26 '18 at 11:13









      the_ultimate_developer

      1,026822




      1,026822










      asked Nov 26 '18 at 11:02









      RonaldRonald

      112




      112
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Storing the provider details in session or in cookies would be the better option I guess as you might need to use other endpoints (such as introspection, certification) later in the flow.






          share|improve this answer
























          • After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

            – Ronald
            Nov 28 '18 at 17:26











          • Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

            – RakihthaRR
            Nov 29 '18 at 2:28












          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53479728%2fhow-to-detect-which-identity-provider-send-a-response%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Storing the provider details in session or in cookies would be the better option I guess as you might need to use other endpoints (such as introspection, certification) later in the flow.






          share|improve this answer
























          • After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

            – Ronald
            Nov 28 '18 at 17:26











          • Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

            – RakihthaRR
            Nov 29 '18 at 2:28
















          0














          Storing the provider details in session or in cookies would be the better option I guess as you might need to use other endpoints (such as introspection, certification) later in the flow.






          share|improve this answer
























          • After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

            – Ronald
            Nov 28 '18 at 17:26











          • Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

            – RakihthaRR
            Nov 29 '18 at 2:28














          0












          0








          0







          Storing the provider details in session or in cookies would be the better option I guess as you might need to use other endpoints (such as introspection, certification) later in the flow.






          share|improve this answer













          Storing the provider details in session or in cookies would be the better option I guess as you might need to use other endpoints (such as introspection, certification) later in the flow.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 27 '18 at 3:05









          RakihthaRRRakihthaRR

          304313




          304313













          • After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

            – Ronald
            Nov 28 '18 at 17:26











          • Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

            – RakihthaRR
            Nov 29 '18 at 2:28



















          • After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

            – Ronald
            Nov 28 '18 at 17:26











          • Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

            – RakihthaRR
            Nov 29 '18 at 2:28

















          After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

          – Ronald
          Nov 28 '18 at 17:26





          After reading the following article link I noticed that using the optional audience claim in the OAuth2 state is intended for storing the client(provider) the state is intended for. But should there not be a better way for doing this?

          – Ronald
          Nov 28 '18 at 17:26













          Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

          – RakihthaRR
          Nov 29 '18 at 2:28





          Client is not the identity provider. aud claim in the token returns the application(s) which a user authorizes to access a certain resource on his behalf. This client should also be registered as a client in your IdP. Since the tokens returned are in the form of jwt, you can validate the signature to determine whether the token has been tampered with.

          – RakihthaRR
          Nov 29 '18 at 2:28




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53479728%2fhow-to-detect-which-identity-provider-send-a-response%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          To store a contact into the json file from server.js file using a class in NodeJS

          Image
          0 I have created three files -contactPresentation.js, contactService.js, contacts.json. I will run the contactService.js file. And it will navigate to contactPresentation.js file that will only choose an option to either add or display a file. If add(), then add the data into add of service file.And the data will be added to the contacts.json file . And if display(), then display the display() of service file. And the display will take the data from contacts.json file. However, i know my code is flawed. Please correct it . I am also getting an error - this.contacts.push(new ContactService(userName, contactNumber, emailId)); ^ TypeError: Cannot read property 'push' of undefined at ContactService.add (e:NodeJSProjectcontactManager2contactService.js:57:23) at new C
          Read more

          Redirect URL with Chrome Remote Debugging Android Devices

          Image
          1 How can i redirect an URL with Chrome Remote Debugging Android Devices? like Requestly Chrome extension on desktop. google-chrome debugging url redirect testing share | improve this question edited Nov 24 '18 at 8:16 sachinjain024 14.7k 23 73 129 asked Nov 23 '18 at 16:09 Momen Momen 91 10
          Read more

          Dieringhausen

          Image
          Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
          Read more