On Tue, Jan 7, 2020 at 12:23 PM Harsha Kumara <[email protected]> wrote:
> > > On Tue, Jan 7, 2020 at 12:20 PM Malintha Amarasinghe <[email protected]> > wrote: > >> Hi, >> >> Currently, we do not support $subject and we always use the local IDP as >> the login/logout URLs (/authorize and /oidc/logout). In normal cases, this >> works without issues. But when it comes to configuring federated login with >> facebook, google etc, it is required to use IS (IS as KM) as the >> intermediate IDP which has the required authenticators to support >> facebook/google logins. In those cases, we need to point the local IDP to >> the IS/KM and the IS/KM points to Facebook as a federated login. But this >> flow has unnecessary one additional hop caused by the local IDP. >> >> As a solution, we plan to support externalizing the IDP URL (used for >> /authorize and /oidc/logout). >> >> [image: image.png] >> >> The plan is to introduce new configs as below: >> >> *api-manager.xml* >> >> {% if apim.idp is defined %} >> <IdentityProvider> >> <!-- Server URL of the Identity Provider used for login/logout >> operations in API Publisher and API Developer Portal --> >> >> <AuthorizeEndpoint>{{apim.idp.authorize_endpoint}}</AuthorizeEndpoint> >> <OIDCLogoutEndpoint>{{apim.idp.oidc_logout_endpoint}}</OIDCLogoutEndpoint> >> >> </IdentityProvider> >> {% endif %} >> >> *deployment.toml* >> >> #[api.idp] >> #authorize_endpoint = "https://localhost:9444/oauth2/authorize"; >> #oidc_logout_endpoint = "https://localhost:9444/oidc/logout"; >> > Token endpoint will be pointed to gateway? > No, it will still use the local endpoints eg; https://localhost:9443/oauth2/token. All the backend calls (generate token, DCR, refresh token) will use the local hardcoded endpoints in 9443 port. Hope that would not cause an issue? Thanks! > >> By default, the server will use the local IDP for login/logout. Only, if >> the above URLs are configured, they will be used instead of the default >> ones. >> >> Thoughts are highly appreciated. >> >> Thanks! >> Malintha >> >> -- >> Malintha Amarasinghe >> *WSO2, Inc. - lean | enterprise | middleware* >> http://wso2.com/ >> >> Mobile : +94 712383306 >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Malintha Amarasinghe *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
