I've been looking at OpenID Connect and the associated scopes and authentication flows. I understand how that hangs together in getting access tokens and id tokens back into a client which can use them to make authenticated requests to a resource provider.
I've also seen documentation that OpenID Connect is also suitable for federation, but I'm missing something. Trust. Using another federation protocol, SAML, there is an exchange of static configuration data out of band in order to establish trust between the Idp and SP. I've been trying to find an API that supports OpenID Connect with a third party IdP such as Okta performing the authentication.
The use case I'm considering is a native app or SPA ( single page app ) that leverages Okta for authentication via OpenID Connect. Goes through the authentication flows ( implicit ) and recieves and access token and id token. It can then pass them to the resource provider API to make authenticated requests except..........the resource provider has no idea who Okta is that issued the access token or who the subject 'sub' is that has been passed down with the id token.
Let's say the native app uses two or more resource provider APIs. Or 10. I understand how to achieve this in SAML with web apps. Does anyone have any concrete examples of how this is implemented, or is federated OpenId Connect just a standards document at the minute ?