Friday, February 5, 2010

Integrating REST clients with STS for token exchange

Where REST services demand a particular type of token for access, REST clients can potentially integrate with an STS server to acquire the requisite token, and pass it to the service.

I haven't seen customers yet widely asking for such solutions, but need can arise where companies standardize across the applications on tokens such as SAML for access control which carries not only the username information but also attributes associated with user profile.

In such scenarios, following flow would be applicable
  1. REST client acquires token from the STS server preferably through REST binding of STS, but any other supported binding should also be okay.
  2. Once it receives the token, it adds it to the "Authorization" HTTP header of the REST request.
  3. REST service receives the request, and a security interceptor(agent) picks up the token to check for access validity. The interceptor can optionally assert the identity into the service for identity propagation needs.
I would be interested to know if you run into such scenarios, and looking for products to support it. You can leave blog comments.