Hi Ishara, On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <isha...@wso2.com> wrote:
> Hi Naduni, > > In this flow user authentication should be done using ID token (you will > get this with access token ) > And to access the relevant resources you can use access token but need to > send necessary scopes in the beginning. > > And I have following questions regarding this. > > 1. How do you configure this IDPs other than WSO2 identity server > 2. How do you handle logout ? > This is a good question. I just had a quick research on our options. It seems OIDC Session Management spec[1] is the most commonly used solution. It seems that this iframe option is used by IS[2] as well. I also found another 2 new specs[3][4] which is about OIDC logout. [3] is kind of similar to how SAML SLO works. However, they say that "OpenID Connect Front-Channel Logout 1.0 can be used separately from or in combination with OpenID Connect Session Management 1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may need to think of a better approach. Do you can have any opinions on this? [1] http://openid.net/specs/openid-connect-session-1_0. html#CreatingUpdatingSessions [2] https://docs.wso2.com/display/IS520/Configuring+ OpenID+Connect+Single+Logout [3] http://openid.net/specs/openid-connect-backchannel-1_0.html [4] http://openid.net/specs/openid-connect-frontchannel-1_0.html Thanks, Bhathiya > > -Ishara > > > On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <sanje...@wso2.com> > wrote: > >> After we receive authorization code browser cannot get token alone. It >> need to have client keys, secrets, scopes etc. So after 8th step onward >> token retrieving need to be handle from publisher/store side. Then app need >> to obtain token and direct user to new page. Also as i remember by the time >> we get authorization code we need to show scopes and get user consent for >> scopes. >> >> Thanks, >> sanjeewa. >> >> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <nad...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> In API Manager, currently we have basic authentication. In order to move >>> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store >>> logins), it was agreed in [1] to use OpenID Connect (OIDC) with >>> authorization code grant type. >>> >>> Following diagram explains the flow of the SSO feature for >>> Publisher/Store Login. >>> >>> >>> >>> >>> Appreciate your feedback and suggestions on the approach. >>> >>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in >>> API Manager 3.0" >>> >>> Thank you. >>> Naduni >>> -- >>> *Naduni Pamudika* >>> Software Engineer >>> >>> WSO2 Inc: http://wso2.com >>> Email: nad...@wso2.com >>> Mobile: 0719143658 <071%20914%203658> >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >> >> >> >> -- >> >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +94713068779 <+94%2071%20306%208779> >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/ >> <http://sanjeewamalalgoda.blogspot.com/> >> >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185 <071%20547%208185>* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
