Token strategy for multiple resources

strictlysocial · July 30, 2019, 7:44am

Hi,

This is a bit of an open ended question, but I was wondering how people have architected their solution to deal platforms dealing with many applications talking to many resource servers using OIDC? I have read this article (https://www.pingidentity.com/en/company/blog/posts/2019/oauth2-access-token-multiple-resources-usage-strategies.html) which suggests the primary options are:

Single access token / single audience to be used across all resources
Single Access Token with Multiple Audiences (not sure this is supported in Okta)
Multiple Access Tokens (one custom auth server per service - one token per service)

Option 1 would appear to be the obvious choice, but I can see a situation where Claims/Scopes and other auth server config will become hard to manager when handling many resource server requirements.

I’d appreciate any input into this discussion.

Thanks

Govner · August 15, 2019, 8:25am

Your right about option 2, although the token exchange RFC may address that specific requirement down the line.

For option 3 you have the added benefit of being able to control the token lifespans granularly for each service

system · January 17, 2024, 11:54pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Token Strategy Across Authorization Servers OAuth/OIDC api	3	158	July 18, 2024
OAuth 2 implementation for Okta resources OAuth/OIDC	1	3709	February 12, 2024
Token Exchange with 2 Authorization Servers Questions	2	2010	February 15, 2024
Using OIDC and OAuth with Microservices and API Management OAuth/OIDC	4	6202	March 5, 2018
How do we go about authenticating to multiple authorization servers? Questions	2	3007	December 9, 2021

Token strategy for multiple resources

Related topics