Thanks Jinghai,
This much clarifies things. I'm all for these steps by steps, in Jiras with
patches :)
I'm not a big fan of blockchain (yet?) but let's see...
Just as off topic notes to share:
For a client I have implement the SAML2 protocol. I see it similar as SOAP in its nature: not trendy but with a large spectrum, very serious and sure
(read well secured).
From my experience, using the Shibboleth framework is the best way to integrate
SAML IMO. But that's really for big (global) organisations.
https://stackoverflow.com/questions/29843794/cas-server-with-saml-2#answer-29893206
BTW I read "No standard way to force logout, though (CAS has this feature)." at
bottom of
https://stackoverflow.com/questions/2033026/sso-with-cas-or-oauth#answer-3181557
SAML has also this feature, and there is a joke about it:
https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860
Just try to implement and then use SLO (Single Log Out) and you will maybe
share the idea.
Have fun :)
Jacques
Le 20/08/2018 à 17:54, Shi Jinghai a écrit :
Hi Jacques,
The LDAP plugin can be split to 2 parts, LDAP and CAS client. The LDAP part can
be removed, because Andrian Crum implemented it in framework/security, he
insisted it's earlier than mine, I agree now. The CAS client can be merged into
passport plugin. Personally I think the CAS protocol is the origin of OAuth2
and many others, and it's stricter than OAuth2 as its service token can be
used/validated only once, to prevent naughty children in Yale University reuse
the service tokens, well typically access token in OAuth2 has a much longer
life time (from hours to month).
The CAS plugin I mentioned is a cas-server, to make OFBiz as a central OAuth2
provider. It's not related to OFBIZ-10307, it's a part of WebPOS2 contribution
I promised in last year. Adding method attribute in request map (OFBIZ-10438)
is the 1st step, CAS plugin is the 2nd step, OpenAPI (swagger) plugin is the
3rd step, then the WebPOS2 (Angular) plugin, and perhaps a Wechat/Facebook
(React) mini app further. Not in a hurry, we can achieve it step by step :)
Briefly, this belongs to mobile support line. I'll try to open a blockchain
support line when community has common interests in blockchain area.
Kind Regards,
Shi Jinghai
-----邮件原件-----
发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com]
发送时间: 2018年8月20日 15:59
收件人: dev@ofbiz.apache.org
主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed in
authentication
Hi Jinghai,
I'm not sure why you want to create a CAS plugin. At least it's unrelated with
OFBIZ-1307
Also are you aware of
https://demo-trunk.ofbiz.apache.org/cmssite/cms/APACHE_OFBIZ_HTML#CASLDAP ?
Does this still work? Do we need a new plugin?
Thanks
Jacques
Le 19/08/2018 à 22:00, Shi Jinghai a écrit :
Thanks Jacques!
If so, I'll release a CAS plugin to make OFBiz offer OAuth2 alliance next week.
I have cas 4.2.x version running in production environment, I'll upgrade it to
cas 5.2.x and then release it.
-----邮件原件-----
发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com]
发送时间: 2018年8月19日 18:34
收件人: dev@ofbiz.apache.org
主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed in
authentication
Hi Jinghai,
Actually I did not pick auth0 (not to be confused with
https://en.wikipedia.org/wiki/OAuth) nor https://oauth.net/2/ because those
need a central
Identify server (as is the SAML protocol).
I simply send a JWT token: https://en.wikipedia.org/wiki/JSON_Web_Token and
https://jwt.io/ to
Please refer to OFBIZ-10307 "Navigate from a domain to another with automated signed
in authentication"
Thanks for your interest.
Jacques
Le 17/08/2018 à 09:02, Shi Jinghai a écrit :
Hi Jacques,
OK, I think the redis topic is jumped to next step.
I have read the patches carelly, as a fan of Apereo CAS[1], I wonder why choose
auth0[2] rather than CAS. And is the implement OAuth2 alliance?
[1] https://github.com/apereo/cas
[2] https://auth0.com/
Kind Regards,
Shi Jinghai
-----邮件原件-----
发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com]
发送时间: 2018年8月16日 2:08
收件人: dev@ofbiz.apache.org
主题: Re: OFBIZ-10307: Navigate from a domain to another with automated signed in
authentication
Hi Jinghai,
The problem with the token master secret key is to guarantee its secrecy at max.
We already discussed different solutions at https://s.apache.org/7yyR and
https://s.apache.org/IBDM
How is Redis more secure than Postgres for storing values?
Thanks
Jacques
Le 15/08/2018 à 14:37, Shi Jinghai a écrit :
Dear Jacques,
On how to store the Tokens, as a token is a key, value is the UserLogin entity
and/or other info, a key-value db, Redis[1] is a good choice. Redis is no.7 in
db ranking in Aug 2018[2], becomes more and more popular. Goldman Sachs
invested Redis team in last year[3]. It's common view now in China that Redis
is better than any others including Gemfire of Pivotal, the railway ticket
system of China replaced its 3 Gemfire clusters with 3 Redis clusters last year
and then there are much less complains on how difficulties to buy spring
festival tickets.
Mr. Dai Haipeng contributed a Redis component in Jira[4].
[1] https://redis.io/
[2] https://db-engines.com/en/ranking
[3]
https://redislabs.com/press/redis-labs-secures-44-million-funding-led-goldman-sachs-private-capital-investing-strengthen-database-leadership/
[4] https://issues.apache.org/jira/browse/OFBIZ-9829
BTW, I'll try to review the patches.
Kind Regards,
Shi Jinghai
-----邮件原件-----
发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com]
发送时间: 2018年8月15日 15:09
收件人: dev@ofbiz.apache.org
主题: OFBIZ-10307: Navigate from a domain to another with automated signed in
authentication
Hi,
Some time ago I created https://issues.apache.org/jira/browse/OFBIZ-10307.
I asked for reviews but only Taher answered and he asked to know the goal of
this new feature.
It was actually developed for a client who needed to get from one OFBiz
instance on a server (on a domain) to another OFBiz instance on another
server (on another domain) without having to sign up between the 2 while
keeping things secure.
There could be many reasons why you want to split OFBiz application on servers.
In their case it was for performance issues.
The technology used is as secure as possible. Like OAuth 2.0 it uses a token
but it does not need a middle authorization server (think to two-factor
authentication) because it's only for OFBiz instances of the same version.
To commit this work we need 1st to agree an commit the work done by Deepak at OFBIZ-9833
"Token Based Authentication" that I use in my last patch.
For me there is only one question outstanding: how to store the Token secret.
But this should not prevent us to commit Deepak's work.
It's now a long time (9 months) since I started this work. And my last patch is
ready for a month.
I crossed several issues which are now all resolved. So please review and
answer to this thread.
Without negative comments well argumented I'll commit both OFBIZ-9833 and
OFBIZ-10307 in a week. You can always test and review later, we use RTC.
Also a veto on a commit is always possible... Of course, as ever, a good
consensus is preferred.
Let me know if you need more information about the goal. For the technical
details I think I already provided them the in OFBIZ-10307.
Jacques
