Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-24 Thread Asela Pathberiya 
On Wed, May 24, 2017 at 12:11 PM, Roshan Wijesena  wrote:

>
> On Wed, May 24, 2017 at 1:19 AM, Bhathiya Jayasekara 
> wrote:
>
>> 1. How do you configure this IDPs other than WSO2 identity server
>>
>
> This is a good question, what if other IDP does not support OIDC?  any
> other solution for SSO? What happened to SAML are we not supporitng it?
>

We need to support both SAML2 & Openid Connect...  Still SAML2 SSO is
mostly used... we can not just remove it...

Thanks,
Asela.


>
>
>> 2. How do you handle logout ?
>
>
> Can't we send a revoke token request when logout and do a page refresh
> after succesfull revoke.
>
>
>
>
> --
> Roshan Wijesena.
> Senior Software Engineer-WSO2 Inc.
> Mobile: *+94719154640 <+94%2071%20915%204640>*
> Email: ros...@wso2.com
> *WSO2, Inc. :** wso2.com *
> lean.enterprise.middleware.
>



-- 
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933
 +358 449 228 979

http://soasecurity.org/
http://xacmlinfo.org/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Ishara Karunarathna 
Hi,

On Wed, May 24, 2017 at 11:49 AM, Bhathiya Jayasekara 
wrote:

> Hi Ishara,
>
> On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna 
> wrote:
>
>> Hi Naduni,
>>
>> In this flow user authentication should be done using ID token (you will
>> get this with access token )
>> And to access the relevant resources you can use access token but need to
>> send necessary scopes in the beginning.
>>
>> And I have following questions regarding this.
>>
>> 1. How do you configure this IDPs other than WSO2 identity server
>> 2. How do you handle logout ?
>>
>
> This is a good question. I just had a quick research on our options. It
> seems OIDC Session Management spec[1] is the most commonly used solution.
> It seems that this iframe option is used by IS[2] as well.
>
> I also found another 2 new specs[3][4] which is about OIDC logout. [3] is
> kind of similar to how SAML SLO works.
>
> However, they say that "OpenID Connect Front-Channel Logout 1.0 can be
> used separately from or in combination with OpenID Connect Session
> Management 1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may
> need to think of a better approach.
>
> Do you can have any opinions on this?
>
For my understanding here your were focusing on using OAuth token for sso,
But better to use OIDC session management for this, then you can easily
manage SLO as well.
@Bhathiya in IS we have implemented front channel so you can start with
that.

And how do you handle authorization do u provision all the scopes
information to IDP ?

Better to arrange a meeting and discuss.

-Ishara

>
> [1] http://openid.net/specs/openid-connect-session-1_0.html#
> CreatingUpdatingSessions
> [2] https://docs.wso2.com/display/IS520/Configuring+OpenID+
> Connect+Single+Logout
> [3] http://openid.net/specs/openid-connect-backchannel-1_0.html
> [4] http://openid.net/specs/openid-connect-frontchannel-1_0.html
>
> Thanks,
> Bhathiya
>
>
>
>>
>> -Ishara
>>
>>
>> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda 
>> wrote:
>>
>>> After we receive authorization code browser cannot get token alone. It
>>> need to have client keys, secrets, scopes etc. So after 8th step onward
>>> token retrieving need to be handle from publisher/store side. Then app need
>>> to obtain token and direct user to new page. Also as i remember by the time
>>> we get authorization code we need to show scopes and get user consent for
>>> scopes.
>>>
>>> Thanks,
>>> sanjeewa.
>>>
>>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika 
>>> wrote:
>>>
 Hi All,

 In API Manager, currently we have basic authentication. In order to
 move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and
 Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with
 authorization code grant type.

 Following diagram explains the flow of the SSO feature for
 Publisher/Store Login.


 ​
 ​
 Appreciate your feedback and suggestions on the approach.

 [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support
 in API Manager 3.0"

 Thank you.
 Naduni
 --
 *Naduni Pamudika*
 Software Engineer

 WSO2 Inc: http://wso2.com
 Email: nad...@wso2.com
 Mobile: 0719143658 <071%20914%203658>
 [image: http://wso2.com/signature] 

>>>
>>>
>>>
>>> --
>>>
>>> *Sanjeewa Malalgoda*
>>> WSO2 Inc.
>>> Mobile : +94713068779 <+94%2071%20306%208779>
>>>
>>> blog
>>> :http://sanjeewamalalgoda.blogspot.com/
>>> 
>>>
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <071%20799%206791>
>>
>>
>>
>
>
> --
> *Bhathiya Jayasekara*
> *Associate Technical Lead,*
> *WSO2 inc., http://wso2.com *
>
> *Phone: +94715478185 <071%20547%208185>*
> *LinkedIn: http://www.linkedin.com/in/bhathiyaj
> *
> *Twitter: https://twitter.com/bhathiyax *
> *Blog: http://movingaheadblog.blogspot.com
> *
>



-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Roshan Wijesena 
On Wed, May 24, 2017 at 1:19 AM, Bhathiya Jayasekara 
wrote:

> 1. How do you configure this IDPs other than WSO2 identity server
>

This is a good question, what if other IDP does not support OIDC?  any
other solution for SSO? What happened to SAML are we not supporitng it?


> 2. How do you handle logout ?


Can't we send a revoke token request when logout and do a page refresh
after succesfull revoke.




-- 
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: *+94719154640*
Email: ros...@wso2.com
*WSO2, Inc. :** wso2.com *
lean.enterprise.middleware.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Bhathiya Jayasekara 
Hi Ishara,

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna 
wrote:

> Hi Naduni,
>
> In this flow user authentication should be done using ID token (you will
> get this with access token )
> And to access the relevant resources you can use access token but need to
> send necessary scopes in the beginning.
>
> And I have following questions regarding this.
>
> 1. How do you configure this IDPs other than WSO2 identity server
> 2. How do you handle logout ?
>

This is a good question. I just had a quick research on our options. It
seems OIDC Session Management spec[1] is the most commonly used solution.
It seems that this iframe option is used by IS[2] as well.

I also found another 2 new specs[3][4] which is about OIDC logout. [3] is
kind of similar to how SAML SLO works.

However, they say that "OpenID Connect Front-Channel Logout 1.0 can be used
separately from or in combination with OpenID Connect Session Management
1.0 and/or OpenID Connect Back-Channel Logout 1.0.". So we may need to
think of a better approach.

Do you can have any opinions on this?

[1] http://openid.net/specs/openid-connect-session-1_0.
html#CreatingUpdatingSessions
[2] https://docs.wso2.com/display/IS520/Configuring+
OpenID+Connect+Single+Logout
[3] http://openid.net/specs/openid-connect-backchannel-1_0.html
[4] http://openid.net/specs/openid-connect-frontchannel-1_0.html

Thanks,
Bhathiya



>
> -Ishara
>
>
> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda 
> wrote:
>
>> After we receive authorization code browser cannot get token alone. It
>> need to have client keys, secrets, scopes etc. So after 8th step onward
>> token retrieving need to be handle from publisher/store side. Then app need
>> to obtain token and direct user to new page. Also as i remember by the time
>> we get authorization code we need to show scopes and get user consent for
>> scopes.
>>
>> Thanks,
>> sanjeewa.
>>
>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika 
>> wrote:
>>
>>> Hi All,
>>>
>>> In API Manager, currently we have basic authentication. In order to move
>>> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store
>>> logins), it was agreed in [1] to use OpenID Connect (OIDC) with
>>> authorization code grant type.
>>>
>>> Following diagram explains the flow of the SSO feature for
>>> Publisher/Store Login.
>>>
>>>
>>> ​
>>> ​
>>> Appreciate your feedback and suggestions on the approach.
>>>
>>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in
>>> API Manager 3.0"
>>>
>>> Thank you.
>>> Naduni
>>> --
>>> *Naduni Pamudika*
>>> Software Engineer
>>>
>>> WSO2 Inc: http://wso2.com
>>> Email: nad...@wso2.com
>>> Mobile: 0719143658 <071%20914%203658>
>>> [image: http://wso2.com/signature] 
>>>
>>
>>
>>
>> --
>>
>> *Sanjeewa Malalgoda*
>> WSO2 Inc.
>> Mobile : +94713068779 <+94%2071%20306%208779>
>>
>> blog
>> :http://sanjeewamalalgoda.blogspot.com/
>> 
>>
>>
>>
>
>
> --
> Ishara Karunarathna
> Associate Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <071%20799%206791>
>
>
>


-- 
*Bhathiya Jayasekara*
*Associate Technical Lead,*
*WSO2 inc., http://wso2.com *

*Phone: +94715478185 <071%20547%208185>*
*LinkedIn: http://www.linkedin.com/in/bhathiyaj
*
*Twitter: https://twitter.com/bhathiyax *
*Blog: http://movingaheadblog.blogspot.com
*
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Sanjeewa Malalgoda 
On Wed, May 24, 2017 at 6:38 AM, Ishara Cooray  wrote:

> Hi Naduni,
>
> You need to provide client id and scopes in your request to authorize
> endpoint.
>
> As sanjeewa said, you will need to do the token request from the
> store/publisher app.
> This token request has to be provided with need client secrete.
> [1] helps to tryout authorization grant.
>
> How do you handle the token renewal?
>
> IMO, you can use refresh_token to renew access token.
>
+1 we may use refresh grant for this.

> To do that you can store the refresh_token you receive from the access
> token request and use that to renew the token using refresh_token grant.
> [2] may also be a useful reference.
>
> [1] https://docs.wso2.com/display/IS530/Try+Authorization+Code+Grant
> [2] http://eveonline-third-party-documentation.readthedocs.io/
> en/latest/sso/authentication.html
>
> Thanks & Regards,
> Ishara Cooray
> Senior Software Engineer
> Mobile : +9477 262 9512 <077%20262%209512>
> WSO2, Inc. | http://wso2.com/
> Lean . Enterprise . Middleware
>
> On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna 
> wrote:
>
>> Hi Naduni,
>>
>> In this flow user authentication should be done using ID token (you will
>> get this with access token )
>> And to access the relevant resources you can use access token but need to
>> send necessary scopes in the beginning.
>>
>> And I have following questions regarding this.
>>
>> 1. How do you configure this IDPs other than WSO2 identity server
>> 2. How do you handle logout ?
>>
> I think we can revoke token when user logout happens.

Thanks,
sanjeewa.


>
>> -Ishara
>>
>>
>> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda 
>> wrote:
>>
>>> After we receive authorization code browser cannot get token alone. It
>>> need to have client keys, secrets, scopes etc. So after 8th step onward
>>> token retrieving need to be handle from publisher/store side. Then app need
>>> to obtain token and direct user to new page. Also as i remember by the time
>>> we get authorization code we need to show scopes and get user consent for
>>> scopes.
>>>
>>> Thanks,
>>> sanjeewa.
>>>
>>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika 
>>> wrote:
>>>
 Hi All,

 In API Manager, currently we have basic authentication. In order to
 move it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and
 Store logins), it was agreed in [1] to use OpenID Connect (OIDC) with
 authorization code grant type.

 Following diagram explains the flow of the SSO feature for
 Publisher/Store Login.


 ​
 ​
 Appreciate your feedback and suggestions on the approach.

 [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support
 in API Manager 3.0"

 Thank you.
 Naduni
 --
 *Naduni Pamudika*
 Software Engineer

 WSO2 Inc: http://wso2.com
 Email: nad...@wso2.com
 Mobile: 0719143658 <071%20914%203658>
 [image: http://wso2.com/signature] 

>>>
>>>
>>>
>>> --
>>>
>>> *Sanjeewa Malalgoda*
>>> WSO2 Inc.
>>> Mobile : +94713068779 <+94%2071%20306%208779>
>>>
>>> blog
>>> :http://sanjeewamalalgoda.blogspot.com/
>>> 
>>>
>>>
>>>
>>
>>
>> --
>> Ishara Karunarathna
>> Associate Technical Lead
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
>> +94717996791 <+94%2071%20799%206791>
>>
>>
>>
>


-- 

*Sanjeewa Malalgoda*
WSO2 Inc.
Mobile : +94713068779

blog
:http://sanjeewamalalgoda.blogspot.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Ishara Cooray 
Hi Naduni,

You need to provide client id and scopes in your request to authorize
endpoint.

As sanjeewa said, you will need to do the token request from the
store/publisher app.
This token request has to be provided with need client secrete.
[1] helps to tryout authorization grant.

How do you handle the token renewal?

IMO, you can use refresh_token to renew access token.
To do that you can store the refresh_token you receive from the access
token request and use that to renew the token using refresh_token grant.
[2] may also be a useful reference.

[1] https://docs.wso2.com/display/IS530/Try+Authorization+Code+Grant
[2]
http://eveonline-third-party-documentation.readthedocs.io/en/latest/sso/authentication.html

Thanks & Regards,
Ishara Cooray
Senior Software Engineer
Mobile : +9477 262 9512
WSO2, Inc. | http://wso2.com/
Lean . Enterprise . Middleware

On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna 
wrote:

> Hi Naduni,
>
> In this flow user authentication should be done using ID token (you will
> get this with access token )
> And to access the relevant resources you can use access token but need to
> send necessary scopes in the beginning.
>
> And I have following questions regarding this.
>
> 1. How do you configure this IDPs other than WSO2 identity server
> 2. How do you handle logout ?
>
> -Ishara
>
>
> On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda 
> wrote:
>
>> After we receive authorization code browser cannot get token alone. It
>> need to have client keys, secrets, scopes etc. So after 8th step onward
>> token retrieving need to be handle from publisher/store side. Then app need
>> to obtain token and direct user to new page. Also as i remember by the time
>> we get authorization code we need to show scopes and get user consent for
>> scopes.
>>
>> Thanks,
>> sanjeewa.
>>
>> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika 
>> wrote:
>>
>>> Hi All,
>>>
>>> In API Manager, currently we have basic authentication. In order to move
>>> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store
>>> logins), it was agreed in [1] to use OpenID Connect (OIDC) with
>>> authorization code grant type.
>>>
>>> Following diagram explains the flow of the SSO feature for
>>> Publisher/Store Login.
>>>
>>>
>>> ​
>>> ​
>>> Appreciate your feedback and suggestions on the approach.
>>>
>>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in
>>> API Manager 3.0"
>>>
>>> Thank you.
>>> Naduni
>>> --
>>> *Naduni Pamudika*
>>> Software Engineer
>>>
>>> WSO2 Inc: http://wso2.com
>>> Email: nad...@wso2.com
>>> Mobile: 0719143658 <071%20914%203658>
>>> [image: http://wso2.com/signature] 
>>>
>>
>>
>>
>> --
>>
>> *Sanjeewa Malalgoda*
>> WSO2 Inc.
>> Mobile : +94713068779 <+94%2071%20306%208779>
>>
>> blog
>> :http://sanjeewamalalgoda.blogspot.com/
>> 
>>
>>
>>
>
>
> --
> Ishara Karunarathna
> Associate Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791 <+94%2071%20799%206791>
>
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-23 Thread Ishara Karunarathna 
Hi Naduni,

In this flow user authentication should be done using ID token (you will
get this with access token )
And to access the relevant resources you can use access token but need to
send necessary scopes in the beginning.

And I have following questions regarding this.

1. How do you configure this IDPs other than WSO2 identity server
2. How do you handle logout ?

-Ishara


On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda 
wrote:

> After we receive authorization code browser cannot get token alone. It
> need to have client keys, secrets, scopes etc. So after 8th step onward
> token retrieving need to be handle from publisher/store side. Then app need
> to obtain token and direct user to new page. Also as i remember by the time
> we get authorization code we need to show scopes and get user consent for
> scopes.
>
> Thanks,
> sanjeewa.
>
> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika  wrote:
>
>> Hi All,
>>
>> In API Manager, currently we have basic authentication. In order to move
>> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store
>> logins), it was agreed in [1] to use OpenID Connect (OIDC) with
>> authorization code grant type.
>>
>> Following diagram explains the flow of the SSO feature for
>> Publisher/Store Login.
>>
>>
>> ​
>> ​
>> Appreciate your feedback and suggestions on the approach.
>>
>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in
>> API Manager 3.0"
>>
>> Thank you.
>> Naduni
>> --
>> *Naduni Pamudika*
>> Software Engineer
>>
>> WSO2 Inc: http://wso2.com
>> Email: nad...@wso2.com
>> Mobile: 0719143658 <071%20914%203658>
>> [image: http://wso2.com/signature] 
>>
>
>
>
> --
>
> *Sanjeewa Malalgoda*
> WSO2 Inc.
> Mobile : +94713068779 <+94%2071%20306%208779>
>
> blog :http://sanjeewamalalgoda.
> blogspot.com/ 
>
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APIM][C5] SSO Feature for Publisher/Store Login

2017-05-21 Thread Sanjeewa Malalgoda 
After we receive authorization code browser cannot get token alone. It need
to have client keys, secrets, scopes etc. So after 8th step onward token
retrieving need to be handle from publisher/store side. Then app need to
obtain token and direct user to new page. Also as i remember by the time we
get authorization code we need to show scopes and get user consent for
scopes.

Thanks,
sanjeewa.

On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika  wrote:

> Hi All,
>
> In API Manager, currently we have basic authentication. In order to move
> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store
> logins), it was agreed in [1] to use OpenID Connect (OIDC) with
> authorization code grant type.
>
> Following diagram explains the flow of the SSO feature for Publisher/Store
> Login.
>
>
> ​
> ​
> Appreciate your feedback and suggestions on the approach.
>
> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in
> API Manager 3.0"
>
> Thank you.
> Naduni
> --
> *Naduni Pamudika*
> Software Engineer
>
> WSO2 Inc: http://wso2.com
> Email: nad...@wso2.com
> Mobile: 0719143658 <071%20914%203658>
> [image: http://wso2.com/signature] 
>



-- 

*Sanjeewa Malalgoda*
WSO2 Inc.
Mobile : +94713068779

blog
:http://sanjeewamalalgoda.blogspot.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture