Hi Shariq, Do we have any changes to the framework component? I don't think right? Its just the custom grant extension and the JWT authenticator extension you have written. In that case these can go to separate repo and be released as extensions to IS. If so we can even get this working with IS 5.2.0 by installing the extension. Later we can decide if it needs to be shipped by default with IS or not.
On Thu, Jun 2, 2016 at 12:45 PM, Muhammed Shariq <[email protected]> wrote: > Hi folks, > > As Prabath mentioned, we have implemented back channel authentication for > using Extensions. > > The approach we have used is, we use the commonAuthId cookie which is > issued to *.cloud.wso2.com. The back channel authentication flow is as > follows; > > 1. Before we redirect to IdP, we check if the commonAuthId is present and > if so we call the IdP /token endpoint passing the commonAuthId cookie. > 2. We have a custom OAuth extension which can validate the commonAuthId > cookie and return a JWT representing the logged in user. > 3. In the SP side we have a JWTAuthenticator which will validate the JWT > and create the BE session for the user. > 4. Then we extract the JSESSIONID and create the front end session and log > the user into the app. > 5. If the commonAuthId cookie is not present we continue with the normal > SSO flow. > > One challenge in the approach is how we can implement the logout > functionality since we aren't sending a login request to IS in back channel > flow. > > As Prabath mentioned, it would be great if we can have first class support > for back channel authentication in IS. We can use some of the learning from > the implementation we've done for Cloud and see how we can incorporate it > in IS. > > @Johan / IS team - Do we have a release date planned for 5.3? Can we add > this feature also with the 5.3 release? > > On Fri, May 6, 2016 at 12:12 AM, Prabath Siriwardana <[email protected]> > wrote: > >> [adding architecture@] >> >> On Wed, May 4, 2016 at 11:04 PM, Prabath Siriwardana <[email protected]> >> wrote: >> >>> We have implemented back-channel authentication for WSO2 Cloud via >>> extensions.. it has certain limitations - but does the job what it is >>> supposed to do. >>> >>> We need to add 1st class support for back channel authentication to IS. >>> Can we do it in IS 5.3.0? >>> >>> These are the two use cases... >>> >>> A) >>> >>> 1. There are multiple web apps and also the IdP hosted on different >>> sub-domains under the same domain (sp1.foo.com, sp2.foo.com, idp.foo.com >>> ) >>> >>> 2. All the web apps use federated login with the IdP. >>> >>> 3. The redirect to the IdP from any of the web apps only needed - only >>> if the user is not authenticated. Each web app - before redirecting the >>> user to the IdP - does the backchannel authentication to check whether >>> the user has a valid session. >>> >>> B) >>> >>> 1. There are multiple web apps and also the IdP hosted on different >>> sub-domains under the same domain (sp1.foo.com, sp2.foo.com, idp.foo.com >>> ) >>> >>> 2. None of the web apps use federated login with the IdP. Each web app >>> has its login screen. >>> >>> 3. Each web app - before presenting the login screen to the user - does >>> the backchannel authentication to check whether the user has a valid >>> session. >>> >>> Thanks & regards, >>> -Prabath >>> >>> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> > > > > -- > Thanks, > Shariq > Associate Technical Lead > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
