JBoss Community Archive (Read Only)

PicketLink

REST Service to convert SAML Tokens Into OAuth Tokens

Requirement

Once SAML SSO is performed, the Service Provider (SP) has access to the SAML Assertion/Token for the user. Now the SP should be able to call a REST service with the SAML token and obtain a OAuth token.

Design

  • RESTEasy endpoint is required that accepts the SAML Token as a bearer token. More information on the OAuth bearer tokens is available at https://docs.jboss.org/author/display/PLINK/OAuth+Bearer+Tokens

  • The endpoint should be secured.

    • PicketLink has a login module as of v2.5.0.Final called as SAMLBearerTokenModule.

    • The login module will validate the SAML Bearer Token and create a Principal for use by the REST Endpoint.

  • REST Endpoint creates an OAuth Token out of the principal and sends back to the requesting client.

    • Endpoint should store the OAuth Token along with a reference to the SAML token.

Versions

RESTEasy (Any)

PicketLink v2.5.0.Final and above

How should the OAuth Token Look Like?

Options:

  1. Use UUID

  2. Convert the SAML Token into base64 encoded string.

Final Decision

All encompassing PicketLink Quickstart.

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:19:44 UTC, last content change 2013-12-12 21:34:19 UTC.