问题
We have a WebApp to which we want to allow 3rd parties to add UI extensions by means of embedding their 3rd party WebApp in an iframe, much like SalesForce Canvas of WeChat Mini Programs.
One of the particulars we're having difficulties with is figuring out how to provide a seamless UX, in the sense that when the user is already logged into our WebApp and they browse to a place where a 3rd party webapp is embedded, there should be no login required to gain access to the 3rd party webapp.
I have the feeling that OpenID Connect would be helpful here. I've found some references online which say that one of the (cool) things you can do with the id_token received is pass it onto a 3rd party app, but I have a difficult time finding more info on that, how exactly you'd have to do the passing/what the flow would be and what security things you'd have to consider when doing so.
Did find this in the specs: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin, which seems to indicate OpenId Connect supports it, but I can find little to no further info on this
So, am looking for confirmation that OpenId Connect is the right approach and then pointers on how to achieve it.
TIA, Paul
回答1:
You may use OpenID Connect indeed: upon loading the iframe you would redirect the user to the OpenID Connect provider with an authorization request that is specific for the 3rd-party app (i.e. the 3rd party app is a Client/RP on it own).
The 3rd-party app would get its own id_token in the response.
来源:https://stackoverflow.com/questions/52100644/is-openid-connect-the-right-tool-to-allow-a-embedded-3rd-webapp-site-in-an-ifra