Hi,
Currently, we do not support $subject and we always use the local IDP as
the login/logout URLs (/authorize and /oidc/logout). In normal cases, this
works without issues. But when it comes to configuring federated login with
facebook, google etc, it is required to use IS (IS as KM) as the
intermediate IDP which has the required authenticators to support
facebook/google logins. In those cases, we need to point the local IDP to
the IS/KM and the IS/KM points to Facebook as a federated login. But this
flow has unnecessary one additional hop caused by the local IDP.
As a solution, we plan to support externalizing the IDP URL (used for
/authorize and /oidc/logout).
[image: image.png]
The plan is to introduce new configs as below:
*api-manager.xml*
{% if apim.idp is defined %}
<IdentityProvider>
<!-- Server URL of the Identity Provider used for login/logout
operations in API Publisher and API Developer Portal -->
<AuthorizeEndpoint>{{apim.idp.authorize_endpoint}}</AuthorizeEndpoint>
<OIDCLogoutEndpoint>{{apim.idp.oidc_logout_endpoint}}</OIDCLogoutEndpoint>
</IdentityProvider>
{% endif %}
*deployment.toml*
#[api.idp]
#authorize_endpoint = "https://localhost:9444/oauth2/authorize";
#oidc_logout_endpoint = "https://localhost:9444/oidc/logout";
By default, the server will use the local IDP for login/logout. Only, if
the above URLs are configured, they will be used instead of the default
ones.
Thoughts are highly appreciated.
Thanks!
Malintha
--
Malintha Amarasinghe
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/
Mobile : +94 712383306
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
