On Wed, May 24, 2017 at 6:38 AM, Ishara Cooray <isha...@wso2.com> wrote:
> Hi Naduni, > > You need to provide client id and scopes in your request to authorize > endpoint. > > As sanjeewa said, you will need to do the token request from the > store/publisher app. > This token request has to be provided with need client secrete. > [1] helps to tryout authorization grant. > > How do you handle the token renewal? > > IMO, you can use refresh_token to renew access token. > +1 we may use refresh grant for this. > To do that you can store the refresh_token you receive from the access > token request and use that to renew the token using refresh_token grant. > [2] may also be a useful reference. > > [1] https://docs.wso2.com/display/IS530/Try+Authorization+Code+Grant > [2] http://eveonline-third-party-documentation.readthedocs.io/ > en/latest/sso/authentication.html > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 <077%20262%209512> > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Naduni, >> >> In this flow user authentication should be done using ID token (you will >> get this with access token ) >> And to access the relevant resources you can use access token but need to >> send necessary scopes in the beginning. >> >> And I have following questions regarding this. >> >> 1. How do you configure this IDPs other than WSO2 identity server >> 2. How do you handle logout ? >> > I think we can revoke token when user logout happens. Thanks, sanjeewa. > >> -Ishara >> >> >> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <sanje...@wso2.com> >> wrote: >> >>> After we receive authorization code browser cannot get token alone. It >>> need to have client keys, secrets, scopes etc. So after 8th step onward >>> token retrieving need to be handle from publisher/store side. Then app need >>> to obtain token and direct user to new page. Also as i remember by the time >>> we get authorization code we need to show scopes and get user consent for >>> scopes. >>> >>> Thanks, >>> sanjeewa. >>> >>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <nad...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> >>>> In API Manager, currently we have basic authentication. In order to >>>> move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and >>>> Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with >>>> authorization code grant type. >>>> >>>> Following diagram explains the flow of the SSO feature for >>>> Publisher/Store Login. >>>> >>>> >>>> >>>> >>>> Appreciate your feedback and suggestions on the approach. >>>> >>>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support >>>> in API Manager 3.0" >>>> >>>> Thank you. >>>> Naduni >>>> -- >>>> *Naduni Pamudika* >>>> Software Engineer >>>> >>>> WSO2 Inc: http://wso2.com >>>> Email: nad...@wso2.com >>>> Mobile: 0719143658 <071%20914%203658> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> *Sanjeewa Malalgoda* >>> WSO2 Inc. >>> Mobile : +94713068779 <+94%2071%20306%208779> >>> >>> <http://sanjeewamalalgoda.blogspot.com/>blog >>> :http://sanjeewamalalgoda.blogspot.com/ >>> <http://sanjeewamalalgoda.blogspot.com/> >>> >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > -- *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/ <http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture