[APIM][C5] SSO Feature for Publisher/Store Login

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[APIM][C5] SSO Feature for Publisher/Store Login

Naduni Pamudika
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: 0719143658
http://wso2.com/signature

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Sanjeewa Malalgoda
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : +94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Ishara Karunarathna
Hi Naduni,

In this flow user authentication should be done using ID token (you will get this with access token )
And to access the relevant resources you can use access token but need to send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[hidden email]> wrote:
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : <a href="tel:+94%2071%20306%208779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/





--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: +94717996791



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Ishara Cooray
Hi Naduni,

You need to provide client id and scopes in your request to authorize endpoint.

As sanjeewa said, you will need to do the token request from the store/publisher app.
This token request has to be provided with need client secrete.
[1] helps to tryout authorization grant.

How do you handle the token renewal?

IMO, you can use refresh_token to renew access token.
To do that you can store the refresh_token you receive from the access token request and use that to renew the token using refresh_token grant.
[2] may also be a useful reference.

Thanks & Regards,
Ishara Cooray
Senior Software Engineer
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <[hidden email]> wrote:
Hi Naduni,

In this flow user authentication should be done using ID token (you will get this with access token )
And to access the relevant resources you can use access token but need to send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[hidden email]> wrote:
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : <a href="tel:+94%2071%20306%208779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/





--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: <a href="tel:+94%2071%20799%206791" value="+94717996791" target="_blank">+94717996791




_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Sanjeewa Malalgoda


On Wed, May 24, 2017 at 6:38 AM, Ishara Cooray <[hidden email]> wrote:
Hi Naduni,

You need to provide client id and scopes in your request to authorize endpoint.

As sanjeewa said, you will need to do the token request from the store/publisher app.
This token request has to be provided with need client secrete.
[1] helps to tryout authorization grant.

How do you handle the token renewal?

IMO, you can use refresh_token to renew access token.
+1 we may use refresh grant for this.
To do that you can store the refresh_token you receive from the access token request and use that to renew the token using refresh_token grant.
[2] may also be a useful reference.

Thanks & Regards,
Ishara Cooray
Senior Software Engineer
Mobile : <a href="tel:077%20262%209512" value="+94772629512" target="_blank">+9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <[hidden email]> wrote:
Hi Naduni,

In this flow user authentication should be done using ID token (you will get this with access token )
And to access the relevant resources you can use access token but need to send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?
I think we can revoke token when user logout happens.

Thanks,
sanjeewa.
 

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[hidden email]> wrote:
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : <a href="tel:+94%2071%20306%208779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/





--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: <a href="tel:+94%2071%20799%206791" value="+94717996791" target="_blank">+94717996791






--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : +94713068779

blog :http://sanjeewamalalgoda.blogspot.com/



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Bhathiya Jayasekara
In reply to this post by Ishara Karunarathna
Hi Ishara,

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <[hidden email]> wrote:
Hi Naduni,

In this flow user authentication should be done using ID token (you will get this with access token )
And to access the relevant resources you can use access token but need to send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?

This is a good question. I just had a quick research on our options. It seems OIDC Session Management spec[1] is the most commonly used solution. It seems that this iframe option is used by IS[2] as well. 

I also found another 2 new specs[3][4] which is about OIDC logout. [3] is kind of similar to how SAML SLO works.  

However, they say that "OpenID Connect Front-Channel Logout 1.0 can be used separately from or in combination with OpenID Connect Session Management 1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may need to think of a better approach. 

Do you can have any opinions on this?


Thanks,
Bhathiya

 

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[hidden email]> wrote:
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : <a href="tel:+94%2071%20306%208779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/





--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: <a href="tel:071%20799%206791" value="+94717996791" target="_blank">+94717996791





--
Bhathiya Jayasekara
Associate Technical Lead,
WSO2 inc., http://wso2.com

Phone: <a href="tel:071%20547%208185" value="+94715478185" target="_blank">+94715478185

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Roshan Wijesena

On Wed, May 24, 2017 at 1:19 AM, Bhathiya Jayasekara <[hidden email]> wrote:
1. How do you configure this IDPs other than WSO2 identity server

This is a good question, what if other IDP does not support OIDC?  any other solution for SSO? What happened to SAML are we not supporitng it?
 
2. How do you handle logout ?

Can't we send a revoke token request when logout and do a page refresh after succesfull revoke.  




--
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: +94719154640
WSO2, Inc. : wso2.com
lean.enterprise.middleware.

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Ishara Karunarathna
In reply to this post by Bhathiya Jayasekara
Hi,

On Wed, May 24, 2017 at 11:49 AM, Bhathiya Jayasekara <[hidden email]> wrote:
Hi Ishara,

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <[hidden email]> wrote:
Hi Naduni,

In this flow user authentication should be done using ID token (you will get this with access token )
And to access the relevant resources you can use access token but need to send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?

This is a good question. I just had a quick research on our options. It seems OIDC Session Management spec[1] is the most commonly used solution. It seems that this iframe option is used by IS[2] as well. 

I also found another 2 new specs[3][4] which is about OIDC logout. [3] is kind of similar to how SAML SLO works.  

However, they say that "OpenID Connect Front-Channel Logout 1.0 can be used separately from or in combination with OpenID Connect Session Management 1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may need to think of a better approach. 

Do you can have any opinions on this?
For my understanding here your were focusing on using OAuth token for sso, But better to use OIDC session management for this, then you can easily manage SLO as well.
@Bhathiya in IS we have implemented front channel so you can start with that.

And how do you handle authorization do u provision all the scopes information to IDP ?

Better to arrange a meeting and discuss.

-Ishara


Thanks,
Bhathiya

 

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[hidden email]> wrote:
After we receive authorization code browser cannot get token alone. It need to have client keys, secrets, scopes etc. So after 8th step onward token retrieving need to be handle from publisher/store side. Then app need to obtain token and direct user to new page. Also as i remember by the time we get authorization code we need to show scopes and get user consent for scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[hidden email]> wrote:
Hi All,

In API Manager, currently we have basic authentication. In order to move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with authorization code grant type.

Following diagram explains the flow of the SSO feature for Publisher/Store Login.




Appreciate your feedback and suggestions on the approach.

[1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in API Manager 3.0"

Thank you.
Naduni
--
Naduni Pamudika
Software Engineer

WSO2 Inc: http://wso2.com
Mobile: <a href="tel:071%20914%203658" value="+94719143658" target="_blank">0719143658
http://wso2.com/signature



--

Sanjeewa Malalgoda
WSO2 Inc.
Mobile : <a href="tel:+94%2071%20306%208779" value="+94713068779" target="_blank">+94713068779

blog :http://sanjeewamalalgoda.blogspot.com/





--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: <a href="tel:071%20799%206791" value="+94717996791" target="_blank">+94717996791





--
Bhathiya Jayasekara
Associate Technical Lead,
WSO2 inc., http://wso2.com

Phone: <a href="tel:071%20547%208185" value="+94715478185" target="_blank">+94715478185



--
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: [hidden email],   blog: isharaaruna.blogspot.com,   mobile: +94717996791



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [APIM][C5] SSO Feature for Publisher/Store Login

Asela Pathberiya
In reply to this post by Roshan Wijesena


On Wed, May 24, 2017 at 12:11 PM, Roshan Wijesena <[hidden email]> wrote:

On Wed, May 24, 2017 at 1:19 AM, Bhathiya Jayasekara <[hidden email]> wrote:
1. How do you configure this IDPs other than WSO2 identity server

This is a good question, what if other IDP does not support OIDC?  any other solution for SSO? What happened to SAML are we not supporitng it?

We need to support both SAML2 & Openid Connect...  Still SAML2 SSO is mostly used... we can not just remove it... 

Thanks,
Asela.
 
 
2. How do you handle logout ?

Can't we send a revoke token request when logout and do a page refresh after succesfull revoke.  




--
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: <a href="tel:+94%2071%20915%204640" value="+94719154640" target="_blank">+94719154640
WSO2, Inc. : wso2.com
lean.enterprise.middleware.



--
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
             +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Loading...