Confidential Applications in OAuth2 Flow

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Confidential Applications in OAuth2 Flow

Hasintha Indrajee
A confidential application in OAuth2 flow is an application which requires client authentication before retrieving an access token. 

According to current implementation we can define confidential applications just per grant type. ie we can define all applications which use authorization code grant should be confidential. We do not have the flexibility to decide whether a specific application should be confidential or not. 

As a solution we can bring this config to UI and have a per application configuration in UI. If we bring this option to UI level / per application, we can define confidentiality of an application, but in contrast we will miss the ability to define whether a specific type of grant should be confidential or not for a specific application. 

In order to cater both application and grant type level confidentiality we may need to have configurations per grant type. WDYT ?


--
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Confidential Applications in OAuth2 Flow

Rushmin Fernando
IMO, a UI looks like below would solve the problem.

State 1

☑ All
     ☑ Authorization Code
     ☑ Implicit

State 2
   
☐ All
    ☑ Authorization Code
    ☐ Implicit


And we don't need to globally make a grant type confidential right? IMO we can get rid of it since it makes thing bit complex. Do we have a real use case for that?




On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee <[hidden email]> wrote:
A confidential application in OAuth2 flow is an application which requires client authentication before retrieving an access token. 

According to current implementation we can define confidential applications just per grant type. ie we can define all applications which use authorization code grant should be confidential. We do not have the flexibility to decide whether a specific application should be confidential or not. 

As a solution we can bring this config to UI and have a per application configuration in UI. If we bring this option to UI level / per application, we can define confidentiality of an application, but in contrast we will miss the ability to define whether a specific type of grant should be confidential or not for a specific application. 

In order to cater both application and grant type level confidentiality we may need to have configurations per grant type. WDYT ?


--
Hasintha Indrajee
WSO2, Inc.
Mobile:<a href="tel:+94%2077%20189%202453" value="+94771892453" target="_blank">+94 771892453


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Best Regards

Rushmin Fernando
Technical Lead

WSO2 Inc. - Lean . Enterprise . Middleware 

mobile : +94775615183



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Confidential Applications in OAuth2 Flow

Hasintha Indrajee


On Thu, Jan 4, 2018 at 2:38 PM, Rushmin Fernando <[hidden email]> wrote:
IMO, a UI looks like below would solve the problem.

State 1

☑ All
     ☑ Authorization Code
     ☑ Implicit

State 2
   
☐ All
    ☑ Authorization Code
    ☐ Implicit


And we don't need to globally make a grant type confidential right? IMO we can get rid of it since it makes thing bit complex. Do we have a real use case for that?




On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee <[hidden email]> wrote:
A confidential application in OAuth2 flow is an application which requires client authentication before retrieving an access token. 

According to current implementation we can define confidential applications just per grant type. ie we can define all applications which use authorization code grant should be confidential. We do not have the flexibility to decide whether a specific application should be confidential or not. 

As a solution we can bring this config to UI and have a per application configuration in UI. If we bring this option to UI level / per application, we can define confidentiality of an application, but in contrast we will miss the ability to define whether a specific type of grant should be confidential or not for a specific application. 

In order to cater both application and grant type level confidentiality we may need to have configurations per grant type. WDYT ?


--
Hasintha Indrajee
WSO2, Inc.
Mobile:<a href="tel:+94%2077%20189%202453" value="+94771892453" target="_blank">+94 771892453


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Best Regards

Rushmin Fernando
Technical Lead

WSO2 Inc. - Lean . Enterprise . Middleware 

mobile : +94775615183





--
Hasintha Indrajee
WSO2, Inc.
Mobile:+94 771892453


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Confidential Applications in OAuth2 Flow

Isura Karunaratne
In reply to this post by Hasintha Indrajee
Hi Hasintha,

On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee <[hidden email]> wrote:
A confidential application in OAuth2 flow is an application which requires client authentication before retrieving an access token. 

According to current implementation we can define confidential applications just per grant type. ie we can define all applications which use authorization code grant should be confidential. We do not have the flexibility to decide whether a specific application should be confidential or not. 

As a solution we can bring this config to UI and have a per application configuration in UI. If we bring this option to UI level / per application, we can define confidentiality of an application, but in contrast we will miss the ability to define whether a specific type of grant should be confidential or not for a specific application. 

In order to cater both application and grant type level confidentiality we may need to have configurations per grant type. WDYT ?

IMO, It is enough to have the configuration in SP level.

We can cater the grant type wise confidentiality by creating Service Providers per grant type.

Thanks
Isura. 
 


--
Hasintha Indrajee
WSO2, Inc.
Mobile:<a href="tel:+94%2077%20189%202453" value="+94771892453" target="_blank">+94 771892453




--
Isura Dilhara Karunaratne
Associate Technical Lead | WSO2
Mob : +94 772 254 810




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Confidential Applications in OAuth2 Flow

tharindue
What would be the default values of client authentication? We need to look into IS-KM scenario as well where the SP is generated upon key generation.

Also, would there be options to support this with dynamic client registration as well ?

Regards,
TharinduE

On Fri, Jan 5, 2018 at 9:53 AM, Isura Karunaratne <[hidden email]> wrote:
Hi Hasintha,

On Thu, Jan 4, 2018 at 2:10 PM, Hasintha Indrajee <[hidden email]> wrote:
A confidential application in OAuth2 flow is an application which requires client authentication before retrieving an access token. 

According to current implementation we can define confidential applications just per grant type. ie we can define all applications which use authorization code grant should be confidential. We do not have the flexibility to decide whether a specific application should be confidential or not. 

As a solution we can bring this config to UI and have a per application configuration in UI. If we bring this option to UI level / per application, we can define confidentiality of an application, but in contrast we will miss the ability to define whether a specific type of grant should be confidential or not for a specific application. 

In order to cater both application and grant type level confidentiality we may need to have configurations per grant type. WDYT ?

IMO, It is enough to have the configuration in SP level.

We can cater the grant type wise confidentiality by creating Service Providers per grant type.

Thanks
Isura. 
 


--
Hasintha Indrajee
WSO2, Inc.
Mobile:<a href="tel:+94%2077%20189%202453" value="+94771892453" target="_blank">+94 771892453




--
Isura Dilhara Karunaratne
Associate Technical Lead | WSO2
Mob : <a href="tel:+94%2077%20225%204810" value="+94772254810" target="_blank">+94 772 254 810




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev