Hi Hasini, Thank you for the idea submission and for the description. Some more comments inline.
On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote: > Hi all, > > I am an undergraduate from University of Moratuwa, Computer Science > and > Engineering department. I am interested in the $subject project idea. > I > have worked with a OpenID Connect certification project previously. > > OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0 > family > of specifications. There are three main specifications[1][2][3] > written for > OIDC. Since the project goal is to create an OIDC authentication > handler, > we need to focus on [1] specification. > > There are three main flows for the authentication process given in > the > specification[1]. > > 1. *Authentication code flow* *(Basic)* - This flow will first > issue a > code in authorization endpoint and that code can be used to issue > an access > token and id_token from token endpoint. In this flow client secret > is > shared to recognize the relying party. So this flow can be used > for > applications that have a secure sever side applications. > 2. *Implicit flow* - This flow will not issue a code but it will > issue > an access token and id_token from the authorization endpoint. In > this flow > client secret is not shared so this flow is preferred for single > web page > applications. > 3. *Hybrid flow* - This is combination of the previous two flows. > > Basic and Implicit flows must be supported by an OIDC Authentication > Handler. Hybrid flow is not mandatory as per the specification[1]. > The > blog[4] written by me on OIDC Basics will help to understand the > basics > without reading the whole specification. > > Should we try to implement all three flows or the first two > flows(Basic and > Implicit) ? My first thought would be to make sure we don't have too large a scope with a GSoC idea, to make sure that it can be completed with good quality in the allocated time. So my questions would be - what would we lose in terms of functionality if we don't implement the Hybrid flow? - how much additional effort is it to implement Hybrid flow? Thanks, Robert > > [1] - http://openid.net/specs/openid-connect-core-1_0.html > > [2] - https://openid.net/specs/openid-connect-discovery-1_0.html > > [3] - http://openid.net/specs/openid-connect-registration-1_0.html > > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090 > <http://openid.net/specs/openid-connect-registration-1_0.html> > Thank you. >
