Hi Robert, what would we lose in terms of functionality if we don't implement > the Hybrid flow?
In the Hybrid flow, we will be able to issue tokens separately for front channel and back channel. How much additional effort is it to implement Hybrid flow? Hybrid flow is the combination of the two flows. And for the Hybrid flow there is a new variable as "c_Hash". To implement the Hybrid flow we need to combine the flows and implement "c_hash" value. Can you please direct me to Apache Sling Repository for OAuth2.0 implementation? Thank you. On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu <[email protected]> wrote: > Hi Hasini, > > Thank you for the idea submission and for the description. Some more > comments inline. > > On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote: > > Hi all, > > > > I am an undergraduate from University of Moratuwa, Computer Science > > and > > Engineering department. I am interested in the $subject project idea. > > I > > have worked with a OpenID Connect certification project previously. > > > > OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0 > > family > > of specifications. There are three main specifications[1][2][3] > > written for > > OIDC. Since the project goal is to create an OIDC authentication > > handler, > > we need to focus on [1] specification. > > > > There are three main flows for the authentication process given in > > the > > specification[1]. > > > > 1. *Authentication code flow* *(Basic)* - This flow will first > > issue a > > code in authorization endpoint and that code can be used to issue > > an access > > token and id_token from token endpoint. In this flow client secret > > is > > shared to recognize the relying party. So this flow can be used > > for > > applications that have a secure sever side applications. > > 2. *Implicit flow* - This flow will not issue a code but it will > > issue > > an access token and id_token from the authorization endpoint. In > > this flow > > client secret is not shared so this flow is preferred for single > > web page > > applications. > > 3. *Hybrid flow* - This is combination of the previous two flows. > > > > Basic and Implicit flows must be supported by an OIDC Authentication > > Handler. Hybrid flow is not mandatory as per the specification[1]. > > The > > blog[4] written by me on OIDC Basics will help to understand the > > basics > > without reading the whole specification. > > > > Should we try to implement all three flows or the first two > > flows(Basic and > > Implicit) ? > > My first thought would be to make sure we don't have too large a scope > with a GSoC idea, to make sure that it can be completed with good > quality in the allocated time. > > So my questions would be > > - what would we lose in terms of functionality if we don't implement > the Hybrid flow? > - how much additional effort is it to implement Hybrid flow? > > Thanks, > > Robert > > > > > > [1] - http://openid.net/specs/openid-connect-core-1_0.html > > > > [2] - https://openid.net/specs/openid-connect-discovery-1_0.html > > > > [3] - http://openid.net/specs/openid-connect-registration-1_0.html > > > > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090 > > <http://openid.net/specs/openid-connect-registration-1_0.html> > > Thank you. > > > > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
