On Tue, Jan 7, 2020 at 12:27 PM Malintha Amarasinghe <[email protected]> wrote:
> > > On Tue, Jan 7, 2020 at 12:23 PM Harsha Kumara <[email protected]> wrote: > >> >> >> On Tue, Jan 7, 2020 at 12:20 PM Malintha Amarasinghe <[email protected]> >> wrote: >> >>> Hi, >>> >>> Currently, we do not support $subject and we always use the local IDP as >>> the login/logout URLs (/authorize and /oidc/logout). In normal cases, this >>> works without issues. But when it comes to configuring federated login with >>> facebook, google etc, it is required to use IS (IS as KM) as the >>> intermediate IDP which has the required authenticators to support >>> facebook/google logins. In those cases, we need to point the local IDP to >>> the IS/KM and the IS/KM points to Facebook as a federated login. But this >>> flow has unnecessary one additional hop caused by the local IDP. >>> >>> As a solution, we plan to support externalizing the IDP URL (used for >>> /authorize and /oidc/logout). >>> >>> [image: image.png] >>> >>> The plan is to introduce new configs as below: >>> >>> *api-manager.xml* >>> >>> {% if apim.idp is defined %} >>> <IdentityProvider> >>> <!-- Server URL of the Identity Provider used for login/logout >>> operations in API Publisher and API Developer Portal --> >>> >>> <AuthorizeEndpoint>{{apim.idp.authorize_endpoint}}</AuthorizeEndpoint> >>> >>> <OIDCLogoutEndpoint>{{apim.idp.oidc_logout_endpoint}}</OIDCLogoutEndpoint> >>> >>> </IdentityProvider> >>> {% endif %} >>> >>> *deployment.toml* >>> >>> #[api.idp] >>> #authorize_endpoint = "https://localhost:9444/oauth2/authorize"; >>> #oidc_logout_endpoint = "https://localhost:9444/oidc/logout"; >>> >> Token endpoint will be pointed to gateway? >> > > No, it will still use the local endpoints eg; > https://localhost:9443/oauth2/token. All the backend calls (generate > token, DCR, refresh token) will use the local hardcoded endpoints in 9443 > port. > Hope that would not cause an issue? > Yes that should be fine. Since we do share databases in this scenario, it should be fine to go with the local endpoints. > > Thanks! > >> >>> By default, the server will use the local IDP for login/logout. Only, if >>> the above URLs are configured, they will be used instead of the default >>> ones. >>> >>> Thoughts are highly appreciated. >>> >>> Thanks! >>> Malintha >>> >>> -- >>> Malintha Amarasinghe >>> *WSO2, Inc. - lean | enterprise | middleware* >>> http://wso2.com/ >>> >>> Mobile : +94 712383306 >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Malintha Amarasinghe > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
