On Tue, Jan 7, 2020 at 12:23 PM Harsha Kumara <[email protected]> wrote:
> > > On Tue, Jan 7, 2020 at 12:20 PM Malintha Amarasinghe <[email protected]> > wrote: > >> Hi, >> >> Currently, we do not support $subject and we always use the local IDP as >> the login/logout URLs (/authorize and /oidc/logout). In normal cases, this >> works without issues. But when it comes to configuring federated login with >> facebook, google etc, it is required to use IS (IS as KM) as the >> intermediate IDP which has the required authenticators to support >> facebook/google logins. In those cases, we need to point the local IDP to >> the IS/KM and the IS/KM points to Facebook as a federated login. But this >> flow has unnecessary one additional hop caused by the local IDP. >> >> As a solution, we plan to support externalizing the IDP URL (used for >> /authorize and /oidc/logout). >> >> [image: image.png] >> >> The plan is to introduce new configs as below: >> >> *api-manager.xml* >> >> {% if apim.idp is defined %} >> <IdentityProvider> >> <!-- Server URL of the Identity Provider used for login/logout >> operations in API Publisher and API Developer Portal --> >> >> <AuthorizeEndpoint>{{apim.idp.authorize_endpoint}}</AuthorizeEndpoint> >> <OIDCLogoutEndpoint>{{apim.idp.oidc_logout_endpoint}}</OIDCLogoutEndpoint> >> >> </IdentityProvider> >> {% endif %} >> >> *deployment.toml* >> >> #[api.idp] >> #authorize_endpoint = "https://localhost:9444/oauth2/authorize"; >> #oidc_logout_endpoint = "https://localhost:9444/oidc/logout"; >> > Token endpoint will be pointed to gateway? > I don't think so. The key manager of the gateway can be something else which does not know how to validate the token. > >> By default, the server will use the local IDP for login/logout. Only, if >> the above URLs are configured, they will be used instead of the default >> ones. >> >> Thoughts are highly appreciated. >> >> Thanks! >> Malintha >> >> -- >> Malintha Amarasinghe >> *WSO2, Inc. - lean | enterprise | middleware* >> http://wso2.com/ >> >> Mobile : +94 712383306 >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Nuwan Dias* | Director | WSO2 Inc. (m) +94 777 775 729 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
