Hi, On Wed, May 24, 2017 at 11:49 AM, Bhathiya Jayasekara <bhath...@wso2.com> wrote:
> Hi Ishara, > > On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Naduni, >> >> In this flow user authentication should be done using ID token (you will >> get this with access token ) >> And to access the relevant resources you can use access token but need to >> send necessary scopes in the beginning. >> >> And I have following questions regarding this. >> >> 1. How do you configure this IDPs other than WSO2 identity server >> 2. How do you handle logout ? >> > > This is a good question. I just had a quick research on our options. It > seems OIDC Session Management spec[1] is the most commonly used solution. > It seems that this iframe option is used by IS[2] as well. > > I also found another 2 new specs[3][4] which is about OIDC logout. [3] is > kind of similar to how SAML SLO works. > > However, they say that "OpenID Connect Front-Channel Logout 1.0 can be > used separately from or in combination with OpenID Connect Session > Management 1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may > need to think of a better approach. > > Do you can have any opinions on this? > For my understanding here your were focusing on using OAuth token for sso, But better to use OIDC session management for this, then you can easily manage SLO as well. @Bhathiya in IS we have implemented front channel so you can start with that. And how do you handle authorization do u provision all the scopes information to IDP ? Better to arrange a meeting and discuss. -Ishara > > [1] http://openid.net/specs/openid-connect-session-1_0.html# > CreatingUpdatingSessions > [2] https://docs.wso2.com/display/IS520/Configuring+OpenID+ > Connect+Single+Logout > [3] http://openid.net/specs/openid-connect-backchannel-1_0.html > [4] http://openid.net/specs/openid-connect-frontchannel-1_0.html > > Thanks, > Bhathiya > > > >> >> -Ishara >> >> >> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <sanje...@wso2.com> >> wrote: >> >>> After we receive authorization code browser cannot get token alone. It >>> need to have client keys, secrets, scopes etc. So after 8th step onward >>> token retrieving need to be handle from publisher/store side. Then app need >>> to obtain token and direct user to new page. Also as i remember by the time >>> we get authorization code we need to show scopes and get user consent for >>> scopes. >>> >>> Thanks, >>> sanjeewa. >>> >>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <nad...@wso2.com> >>> wrote: >>> >>>> Hi All, >>>> >>>> In API Manager, currently we have basic authentication. In order to >>>> move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and >>>> Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with >>>> authorization code grant type. >>>> >>>> Following diagram explains the flow of the SSO feature for >>>> Publisher/Store Login. >>>> >>>> >>>> >>>> >>>> Appreciate your feedback and suggestions on the approach. >>>> >>>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support >>>> in API Manager 3.0" >>>> >>>> Thank you. >>>> Naduni >>>> -- >>>> *Naduni Pamudika* >>>> Software Engineer >>>> >>>> WSO2 Inc: http://wso2.com >>>> Email: nad...@wso2.com >>>> Mobile: 0719143658 <071%20914%203658> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>> >>> >>> >>> -- >>> >>> *Sanjeewa Malalgoda* >>> WSO2 Inc. >>> Mobile : +94713068779 <+94%2071%20306%208779> >>> >>> <http://sanjeewamalalgoda.blogspot.com/>blog >>> :http://sanjeewamalalgoda.blogspot.com/ >>> <http://sanjeewamalalgoda.blogspot.com/> >>> >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <071%20799%206791> >> >> >> > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture