Hi Senthuran,

When checking the user session using prompt=none parameter, Shall we use a
fetch call instead of navigating users to login service endpoint ( I:e
`/publisher/services/auth/login` in publisher). it will hinder browser
redirections, so the user won't recognize a browser redirect.


mandate the login to the Devportal without showing the anonymous view

For this case, I think we need to refactor the store  REST API, to restrict
anonymous API calls. For example, now users can see all the public APIs
without providing an access token (anonymous) @Malintha Amarasinghe
<malint...@wso2.com>  WDYT ?


On Fri, Feb 14, 2020 at 3:35 PM Senthuran Manoharan <senthur...@wso2.com>

>  Hi All,
> API Manager 3.x.x has an SSO for the Publisher and Devportal apps and
> currently, we are working on a feature to support “passive” configuration
> in the SSO flow(i.e If a user who has already logged in to the publisher
> has to get logged into the store directly without clicking on the SIGN-IN
> button). Please refer to this Git issue[1].
> This feature can be achieved by appending the prompt=none to authorize
> endpoint.
>> https://localhost:9443/oauth2/authorize?response_type=code&client_id=VOjSlkwAXyWvv5FqRfMTjhblH2ka&scope=apim:api_key%20apim:app_manage%20apim:store_settings%20apim:sub_alert_manage%20apim:sub_manage%20apim:subscribe%20openid&state=/apis&redirect_uri=https://localhost:9443/devportal/services/auth/callback/login&prompt=nonehttps://localhost:9443/oauth2/authorize?response_type=code&client_id=VOjSlkwAXyWvv5FqRfMTjhblH2ka&scope=apim:api_key%20apim:app_manage%20apim:store_settings%20apim:sub_alert_manage%20apim:sub_manage%20apim:subscribe%20openid&state=/apis&redirect_uri=https://localhost:9443/devportal/services/auth/callback/login&prompt=none
>> .
> If there is a logged-in user in the Publisher then it will show the
> devporal with the login user, otherwise, it will throw an error as
> login_required in that case we can redirect back to the devportal.
>> error_description=Authentication+required&state=%2Fapis&error=login_required&session_state=b245952dd33a875d31cc6b05968d75fc463612af1a9de70fa5c1809e10de3ef5.tlPkOGNZttr8a-uOAP7UNw
> If the User is not logged in to the devportal in every reload there will
> be a call made to the authorizeEndpoint to check whether a logged-in user
> is there or not.
> In addition to this, customers have a requirement to mandate the login to
> the Devportal without showing the anonymous view. (i.e like in Publisher)
> and we are planning to implement this.
> Please share your thoughts on this.
> [1] https://github.com/wso2/product-apim/issues/4171
> Thanks
> Senthuran

*Kasun Thennakoon* | Associate Technical Lead | WSO2 Inc.
(m) +94 711661919 | (w) +94 11 214 5345 | (e) kasu...@wso2.com
Integration Agility for Digitally Driven Business
Architecture mailing list

Reply via email to