Hi Naduni, You need to provide client id and scopes in your request to authorize endpoint.
As sanjeewa said, you will need to do the token request from the store/publisher app. This token request has to be provided with need client secrete. [1] helps to tryout authorization grant. How do you handle the token renewal? IMO, you can use refresh_token to renew access token. To do that you can store the refresh_token you receive from the access token request and use that to renew the token using refresh_token grant. [2] may also be a useful reference. [1] https://docs.wso2.com/display/IS530/Try+Authorization+Code+Grant [2] http://eveonline-third-party-documentation.readthedocs.io/en/latest/sso/authentication.html Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Tue, May 23, 2017 at 10:17 PM, Ishara Karunarathna <[email protected]> wrote: > Hi Naduni, > > In this flow user authentication should be done using ID token (you will > get this with access token ) > And to access the relevant resources you can use access token but need to > send necessary scopes in the beginning. > > And I have following questions regarding this. > > 1. How do you configure this IDPs other than WSO2 identity server > 2. How do you handle logout ? > > -Ishara > > > On Mon, May 22, 2017 at 11:12 AM, Sanjeewa Malalgoda <[email protected]> > wrote: > >> After we receive authorization code browser cannot get token alone. It >> need to have client keys, secrets, scopes etc. So after 8th step onward >> token retrieving need to be handle from publisher/store side. Then app need >> to obtain token and direct user to new page. Also as i remember by the time >> we get authorization code we need to show scopes and get user consent for >> scopes. >> >> Thanks, >> sanjeewa. >> >> On Mon, May 22, 2017 at 10:38 AM, Naduni Pamudika <[email protected]> >> wrote: >> >>> Hi All, >>> >>> In API Manager, currently we have basic authentication. In order to move >>> it into Single Sign On (SSO) for API Manager 3.0 (for Publisher and Store >>> logins), it was agreed in [1] to use OpenID Connect (OIDC) with >>> authorization code grant type. >>> >>> Following diagram explains the flow of the SSO feature for >>> Publisher/Store Login. >>> >>> >>> >>> >>> Appreciate your feedback and suggestions on the approach. >>> >>> [1] Mail Subject - "[Architecture] [APIM] [C5] Single sign on support in >>> API Manager 3.0" >>> >>> Thank you. >>> Naduni >>> -- >>> *Naduni Pamudika* >>> Software Engineer >>> >>> WSO2 Inc: http://wso2.com >>> Email: [email protected] >>> Mobile: 0719143658 <071%20914%203658> >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >> >> >> >> -- >> >> *Sanjeewa Malalgoda* >> WSO2 Inc. >> Mobile : +94713068779 <+94%2071%20306%208779> >> >> <http://sanjeewamalalgoda.blogspot.com/>blog >> :http://sanjeewamalalgoda.blogspot.com/ >> <http://sanjeewamalalgoda.blogspot.com/> >> >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
