Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-15 Thread Farasath Ahamed 
On Friday, December 15, 2017, Youcef HILEM  wrote:

> Hi Hasanthi,
>
> Yes I know that the password grant is supported .
>
> My question is: can I use the password grant with our third party IDP OAuth
> 2.0 [3] just integrated with [2].


No. We do not support password grant type in our OAuth/OIDC federated
authenticator.

However, if you have a strong requirement to federate using password grant
type you can do so by extending the oauth/oidc authenticator. One thing to
keep in mind is that you might have to introduce and intermediate page to
prompt for credentials to be used in the password grant request.

As a user this means I am exposing my credentials at an intermediate
page(not at the trusted federated idp) which could be a security concerns.
Personally I would prefer the authorization code flow over password grant
flow to login using a third party idp.



>
>
> [1] Federated Authentication -
> https://docs.wso2.com/display/IS530/Federated+Authentication
> [2] Configuring OAuth2-OpenID Connect -
> https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect
> [3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
> https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.
> 3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints
>
> Thanks
> Youcef HILEM
>
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>


-- 
Farasath Ahamed
Senior Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-15 Thread Youcef HILEM 
Hi Hasanthi,

Yes I know that the password grant is supported .

My question is: can I use the password grant with our third party IDP OAuth
2.0 [3] just integrated with [2].


[1] Federated Authentication - 
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect - 
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect  
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints - 
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM




--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-15 Thread Hasanthi Purnima Dissanayake 
Hi Youcef,

>From wso2 IS server and APIM we support for password Grant as well. If you
can elaborate much on your use case may be I will able to help you with
much details.

[1] https://docs.wso2.com/display/IS530/Try+Password+Grant
[2] https://docs.wso2.com/display/AM210/Password+Grant

Thanks,

On Thu, Dec 14, 2017 at 6:19 PM, Youcef HILEM 
wrote:

> Hi Hasanthi,
>
> Our third party OAuth2 server supports Authorization Code Grant and
> Password
> Grant.
>
> Authorization Code is very well explained (ex :
> http://nuwanzone.blogspot.fr/2015/10/getting-access-tokens-
> for-wso2-api.html).
>
> My question : Can we also use Password Grant ?
>
> Thanks
> Youcef HILEM
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-14 Thread Youcef HILEM 
Hi Hasanthi,

Our third party OAuth2 server supports Authorization Code Grant and Password
Grant.

Authorization Code is very well explained (ex :
http://nuwanzone.blogspot.fr/2015/10/getting-access-tokens-for-wso2-api.html).

My question : Can we also use Password Grant ? 

Thanks
Youcef HILEM



--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-12 Thread Youcef HILEM 
Hi Hasanthi,

Thank you for your response.

The good news is that we can integrate our OAuth2 server.

Thanks
Youcef HILEM



--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-10 Thread Hasanthi Purnima Dissanayake 
Hi Youcef,

>
> Can you please tell me what are the differences between OpenID Connect &
> OAuth 2.0 federated authenticators ?
>
> The links for these two authenticators [1]  refer to the same component
> [2].


Actually OAuth 2.0 is an authorization framework that is capable of
providing a way for clients to access a resource with restricted access on
behalf of the resource owner while OIDC facilitates clients to verify the
end-user identity against the authentication performed by an authorization
server. At the same time, OIDC provides methods to transfer the end user
information through claims.OIDC protocol is built on top of the OAuth2
protocol.

We have an OAuth2 server with these endpoints [3]. Can I use this connector
> [2] ?
>
> I do not know what to put for the two fields:
> - OpenID Connect User ID Location
> - Additional Query Parameters


As you are using a oauth server, you can keep the second field empty and
keep the default setting for the 'OpenID Connect User ID Location'

Also there is no userinfo endpoint. And in this case how to get user
> attributes ?

As I mentioned above we need to use openid protocol to get end user
attributes as the purpose of oauth is to provide accessibility for a
resource with restricted access.

Should I use Introspect endpoint ?
>
OAuth 2.0 Token Introspection defines a protocol that allows authorized
protected resources to query the authorization server to determine the set
of metadata for a given token that was presented to them by an OAuth
Client.  So the response will contain few claims as user name, but from
this endpoint there is no way to get the whole set of user claims. So our
recommendation here is to use a OIDC server in order to obtain the user
claims.

Thanks,


On Mon, Dec 11, 2017 at 12:46 AM, Youcef HILEM 
wrote:

> Hi WSO2 IS Team,
>
> Can you please tell me what are the differences between OpenID Connect &
> OAuth 2.0 federated authenticators ?
>
> The links for these two authenticators [1]  refer to the same component
> [2].
>
> We have an OAuth2 server with these endpoints [3]. Can I use this connector
> [2] ?
>
> I do not know what to put for the two fields:
> - OpenID Connect User ID Location
> - Additional Query Parameters
>
> Also there is no userinfo endpoint. And in this case how to get user
> attributes ? Should I use Introspect endpoint ? If so, then I must develop
> a
> specific authenticator for our case.
>
> [1] Federated Authentication -
> https://docs.wso2.com/display/IS530/Federated+Authentication
> [2] Configuring OAuth2-OpenID Connect -
> https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect
> [3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
> https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.
> 3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints
>
> Thanks
> Youcef HILEM
>
>
>
> --
> Sent from: http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-
> Architecture-f62919.html
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>



-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: hasan...@wso2.com
M :0718407133| http://wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] WSO2 IS : what are the differences between OpenID Connect & OAuth 2.0 federated authenticators

2017-12-10 Thread Youcef HILEM 
Hi WSO2 IS Team,

Can you please tell me what are the differences between OpenID Connect &
OAuth 2.0 federated authenticators ?

The links for these two authenticators [1]  refer to the same component [2].

We have an OAuth2 server with these endpoints [3]. Can I use this connector
[2] ?

I do not know what to put for the two fields:
- OpenID Connect User ID Location   
- Additional Query Parameters

Also there is no userinfo endpoint. And in this case how to get user
attributes ? Should I use Introspect endpoint ? If so, then I must develop a
specific authenticator for our case.

[1] Federated Authentication -
https://docs.wso2.com/display/IS530/Federated+Authentication
[2] Configuring OAuth2-OpenID Connect -
https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect 
[3] IBM Security Access Manager 9.0.3.1 - OAuth 2.0 endpoints -
https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.3.1/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

Thanks
Youcef HILEM



--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture