WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Youcef HILEM
Hi WSO2 IS Team,

Can you please tell me what are the differences between OpenID Connect &
OAuth 2.0 federated authenticators ?

The links for these two authenticators [1]  refer to the same component [2].

We have an OAuth2 server with these endpoints [3]. Can I use this connector
[2] ?

I do not know what to put for the two fields:
- OpenID Connect User ID Location
- Additional Query Parameters

Also there is no userinfo endpoint. And in this case how to get user
attributes ? Should I use Introspect endpoint ? If so, then I must develop a
specific authenticator for our case.

[1] Federated Authentication -
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect -
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect 
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Hasanthi Purnima Dissanayake
Hi Youcef,

Can you please tell me what are the differences between OpenID Connect &
OAuth 2.0 federated authenticators ?

The links for these two authenticators [1]  refer to the same component [2].

Actually OAuth 2.0 is an authorization framework that is capable of providing a way for clients to access a resource with restricted access on behalf of the resource owner while OIDC facilitates clients to verify the end-user identity against the authentication performed by an authorization server. At the same time, OIDC provides methods to transfer the end user information through claims.OIDC protocol is built on top of the OAuth2 protocol.

We have an OAuth2 server with these endpoints [3]. Can I use this connector
[2] ?

I do not know what to put for the two fields:
- OpenID Connect User ID Location
- Additional Query Parameters

As you are using a oauth server, you can keep the second field empty and keep the default setting for the 'OpenID Connect User ID Location'

Also there is no userinfo endpoint. And in this case how to get user
attributes ?
As I mentioned above we need to use openid protocol to get end user attributes as the purpose of oauth is to provide accessibility for a resource with restricted access.

Should I use Introspect endpoint ?
OAuth 2.0 Token Introspection defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth Client.  So the response will contain few claims as user name, but from this endpoint there is no way to get the whole set of user claims. So our recommendation here is to use a OIDC server in order to obtain the user claims.

Thanks,


On Mon, Dec 11, 2017 at 12:46 AM, Youcef HILEM <[hidden email]> wrote:
Hi WSO2 IS Team,

Can you please tell me what are the differences between OpenID Connect &
OAuth 2.0 federated authenticators ?

The links for these two authenticators [1]  refer to the same component [2].

We have an OAuth2 server with these endpoints [3]. Can I use this connector
[2] ?

I do not know what to put for the two fields:
- OpenID Connect User ID Location
- Additional Query Parameters

Also there is no userinfo endpoint. And in this case how to get user
attributes ? Should I use Introspect endpoint ? If so, then I must develop a
specific authenticator for our case.

[1] Federated Authentication -
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect -
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



--

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: [hidden email]

M :0718407133| http://wso2.com

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Youcef HILEM
Hi Hasanthi,

Thank you for your response.

The good news is that we can integrate our OAuth2 server.

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Youcef HILEM
In reply to this post by Hasanthi Purnima Dissanayake
Hi Hasanthi,

Our third party OAuth2 server supports Authorization Code Grant and Password
Grant.

Authorization Code is very well explained (ex :
http://nuwanzone.blogspot.fr/2015/10/getting-access-tokens-for-wso2-api.html).

My question : Can we also use Password Grant ?

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Hasanthi Purnima Dissanayake
Hi Youcef,

From wso2 IS server and APIM we support for password Grant as well. If you can elaborate much on your use case may be I will able to help you with much details.


Thanks, 

On Thu, Dec 14, 2017 at 6:19 PM, Youcef HILEM <[hidden email]> wrote:
Hi Hasanthi,

Our third party OAuth2 server supports Authorization Code Grant and Password
Grant.

Authorization Code is very well explained (ex :
http://nuwanzone.blogspot.fr/2015/10/getting-access-tokens-for-wso2-api.html).

My question : Can we also use Password Grant ?

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture



--

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: [hidden email]

M :0718407133| http://wso2.com

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Youcef HILEM
Hi Hasanthi,

Yes I know that the password grant is supported .

My question is: can I use the password grant with our third party IDP OAuth
2.0 [3] just integrated with [2].


[1] Federated Authentication -
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect -
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect 
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM




--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Farasath Ahamed


On Friday, December 15, 2017, Youcef HILEM <[hidden email]> wrote:
Hi Hasanthi,

Yes I know that the password grant is supported .

My question is: can I use the password grant with our third party IDP OAuth
2.0 [3] just integrated with [2].

No. We do not support password grant type in our OAuth/OIDC federated authenticator. 

However, if you have a strong requirement to federate using password grant type you can do so by extending the oauth/oidc authenticator. One thing to keep in mind is that you might have to introduce and intermediate page to prompt for credentials to be used in the password grant request.

As a user this means I am exposing my credentials at an intermediate page(not at the trusted federated idp) which could be a security concerns. Personally I would prefer the authorization code flow over password grant flow to login using a third party idp.

 


[1] Federated Authentication -
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect -
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM




--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture


--
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619






_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

Youcef HILEM
This post was updated on .
Hi Ahamed,

Thank you very much for your response.

In this case we will only use the Authorization Code Grant.

Thanks
Youcef HILEM



--
Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture