Hi folks, As Prabath mentioned, we have implemented back channel authentication for using Extensions.
The approach we have used is, we use the commonAuthId cookie which is issued to *.cloud.wso2.com. The back channel authentication flow is as follows; 1. Before we redirect to IdP, we check if the commonAuthId is present and if so we call the IdP /token endpoint passing the commonAuthId cookie. 2. We have a custom OAuth extension which can validate the commonAuthId cookie and return a JWT representing the logged in user. 3. In the SP side we have a JWTAuthenticator which will validate the JWT and create the BE session for the user. 4. Then we extract the JSESSIONID and create the front end session and log the user into the app. 5. If the commonAuthId cookie is not present we continue with the normal SSO flow. One challenge in the approach is how we can implement the logout functionality since we aren't sending a login request to IS in back channel flow. As Prabath mentioned, it would be great if we can have first class support for back channel authentication in IS. We can use some of the learning from the implementation we've done for Cloud and see how we can incorporate it in IS. @Johan / IS team - Do we have a release date planned for 5.3? Can we add this feature also with the 5.3 release? On Fri, May 6, 2016 at 12:12 AM, Prabath Siriwardana <[email protected]> wrote: > [adding architecture@] > > On Wed, May 4, 2016 at 11:04 PM, Prabath Siriwardana <[email protected]> > wrote: > >> We have implemented back-channel authentication for WSO2 Cloud via >> extensions.. it has certain limitations - but does the job what it is >> supposed to do. >> >> We need to add 1st class support for back channel authentication to IS. >> Can we do it in IS 5.3.0? >> >> These are the two use cases... >> >> A) >> >> 1. There are multiple web apps and also the IdP hosted on different >> sub-domains under the same domain (sp1.foo.com, sp2.foo.com, idp.foo.com) >> >> 2. All the web apps use federated login with the IdP. >> >> 3. The redirect to the IdP from any of the web apps only needed - only if >> the user is not authenticated. Each web app - before redirecting the user >> to the IdP - does the backchannel authentication to check whether the user >> has a valid session. >> >> B) >> >> 1. There are multiple web apps and also the IdP hosted on different >> sub-domains under the same domain (sp1.foo.com, sp2.foo.com, idp.foo.com) >> >> 2. None of the web apps use federated login with the IdP. Each web app >> has its login screen. >> >> 3. Each web app - before presenting the login screen to the user - does >> the backchannel authentication to check whether the user has a valid >> session. >> >> Thanks & regards, >> -Prabath >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > -- Thanks, Shariq Associate Technical Lead
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
