[jira] [Commented] (KNOX-655) Pac4j Provider Client Selection from client_name Query Parameter

Mon, 25 Jan 2016 14:47:12 -0800 

    [ 
https://issues.apache.org/jira/browse/KNOX-655?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15116225#comment-15116225
 ] 

Larry McCay commented on KNOX-655:
----------------------------------

I want to make sure that I completely understand the changes described in #'s 1 
and 2 above.

For #1 - you are saying that for more than one active client that we need to 
encode the ordering of the clients in a clientName provider parameter for pac4j 
within the knoxsso topology. The first being the default.

For #2 - you are saying that the Single Sign On Url and the other related URLs 
for Okta need to include the pac4jCallback=true - not sure if it still needs to 
have client_name as well though. 

Is the following correct?
https://www.local.com:8443/gateway/knoxsso/api/v1/websso?pac4jCallback=true

I don't think that the pac4j provider parameter pac4j.callbackUrl should 
contain the new pac4jCallback=true - is this correct?

I am having trouble getting the Okta test to work with the above 
configuration...

> Pac4j Provider Client Selection from client_name Query Parameter
> ----------------------------------------------------------------
>
>                 Key: KNOX-655
>                 URL: https://issues.apache.org/jira/browse/KNOX-655
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Jérôme Leleu
>             Fix For: 0.8.0
>
>         Attachments: knox655.patch
>
>
> From dev@ list:
> "In pac4j, we have a callback controller which uses the client_name
> parameter to finish the login process and a protection filter which
> protects a resource and redirects the user to the identity provider for
> login. Since pac4j 1.8, most libraries using it now accept a client_name
> parameter in the protection filter as well to choose the authentication
> mechanism to use if the user is not authenticated.
> With Knox, this feature (choosing the authentication mechanism with the
> client_name parameter) is not available as this parameter is already used
> to define if it's a callback or an access. This could be changed and we
> could opt for a new convention, like a new pac4jCallback parameter to say
> if it's a callback or not. And this way, you could choose on the fly which
> authentication mechanism you want to use."



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to