Hi everyone,
I have a use case and would appreciate any feedback on it.
Suppose a student visits AAA.NET. On the site is a "Connect with BBB!" button. This triggers an oAuth transaction with BBB.COM.
However, BBB.COM, rather than presenting the usual login form, is actually a Shibboleth SP, and so the user gets redirected to their IdP to login, before being redirected back to BBB.COM, which then asks "Application AAA.NET wants to be able to access your BBB.COM profile. Allow/Deny".
The student clicks "Allow", and the oAuth transaction then completes; they are redirected back to AAA.NET, which is now able to obtain the user profile from BBB.COM using an oAuth access token.
I *think* this scenario is plausible, and I haven't seen anything that indicates it *wouldn't* work, but I also haven't come across any other examples of the same type of combined authz flow, which is a bit surprising to be honest.
Thoughts?
-S
OSS Watch - supporting open source in education and research
http://www.oss-watch.ac.uk
[log in to unmask]
[log in to unmask]
http://scottbw.wordpress.com
@scottbw
|