On Mon, Jan 8, 2018 at 4:49 PM, Hasintha Indrajee <hasin...@wso2.com> wrote:
> The idea behind this is to decouple the authentication mechanism used by > OAuth2 clients from the rest of the OAuth2 logic, so that different types > of client authenticators can be plugged. For an example according to > specification [1] client_secret_basic, client_secret_post, > client_secret_jwt are few client authentication mechanisms. > > The client authentication will be done through an extension. Hence > different client authentication criteria can be implemented and can be > plugged. > > The interface (API) will consist of three main methods. > > 1) canAuthenticate - Decides whether the particular authenticator can > authenticate the incoming request or not. > > 2) authenticateClient - Authenticates the client request based on > information present. As a result of authentication client ID will be > available in the context. > > 3) getClientId - Depending on the authentication mechanism they way client > ID is extracted depends. For an example in JWT client authentication client > sends out the client Id within the JWT as the subject. Hence in a case > authenticaiton fails, we may need to extract client Id for other puposes. > ex - data publishing, if the client is non confidential. > > The client authenticator has to be implemented as an OSGI bundle and > should be deployed in dropins upon building. Also relevant authenticator > name has to be configured in identity.xml under client authenticators. > > <ClientAuthHandlers> > > <ClientAuthHandler Class="org.wso2.carbon. > identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler"></ > ClientAuthHandler> > > </ClientAuthHandlers> > Do we have any plan in future to facilitate defining client authenticators per OAuth application (service provider)? Also do we have a way to define an oauth application as non-confidential using the UI or do we need to write a custom client authentication handler to do so? > > [1] http://openid.net/specs/openid-connect-core-1_0.html#Cli > entAuthentication > <http://www.google.com/url?q=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23ClientAuthentication&sa=D&sntz=1&usg=AFQjCNEcVTdgiIUSObwbxp8OUtTU1By8Rg> > > > > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <077%20189%202453> > > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture