Hi all, The below [1] is the proposal for the project "OpenID Connect authentication handler for Apache Sling". Please review and give your comments.
[1] - https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing Thank you. On Fri, Mar 23, 2018 at 10:38 PM, Hasini Witharana <[email protected]> wrote: > Hi Robert, > > what would we lose in terms of functionality if we don't implement >> the Hybrid flow? > > > In the Hybrid flow, we will be able to issue tokens separately for front > channel and back channel. > > How much additional effort is it to implement Hybrid flow? > > > Hybrid flow is the combination of the two flows. And for the Hybrid flow > there is a new variable as "c_Hash". To implement the Hybrid flow we need > to combine the flows and implement "c_hash" value. > > Can you please direct me to Apache Sling Repository for OAuth2.0 > implementation? > > Thank you. > > On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu <[email protected]> > wrote: > >> Hi Hasini, >> >> Thank you for the idea submission and for the description. Some more >> comments inline. >> >> On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote: >> > Hi all, >> > >> > I am an undergraduate from University of Moratuwa, Computer Science >> > and >> > Engineering department. I am interested in the $subject project idea. >> > I >> > have worked with a OpenID Connect certification project previously. >> > >> > OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0 >> > family >> > of specifications. There are three main specifications[1][2][3] >> > written for >> > OIDC. Since the project goal is to create an OIDC authentication >> > handler, >> > we need to focus on [1] specification. >> > >> > There are three main flows for the authentication process given in >> > the >> > specification[1]. >> > >> > 1. *Authentication code flow* *(Basic)* - This flow will first >> > issue a >> > code in authorization endpoint and that code can be used to issue >> > an access >> > token and id_token from token endpoint. In this flow client secret >> > is >> > shared to recognize the relying party. So this flow can be used >> > for >> > applications that have a secure sever side applications. >> > 2. *Implicit flow* - This flow will not issue a code but it will >> > issue >> > an access token and id_token from the authorization endpoint. In >> > this flow >> > client secret is not shared so this flow is preferred for single >> > web page >> > applications. >> > 3. *Hybrid flow* - This is combination of the previous two flows. >> > >> > Basic and Implicit flows must be supported by an OIDC Authentication >> > Handler. Hybrid flow is not mandatory as per the specification[1]. >> > The >> > blog[4] written by me on OIDC Basics will help to understand the >> > basics >> > without reading the whole specification. >> > >> > Should we try to implement all three flows or the first two >> > flows(Basic and >> > Implicit) ? >> >> My first thought would be to make sure we don't have too large a scope >> with a GSoC idea, to make sure that it can be completed with good >> quality in the allocated time. >> >> So my questions would be >> >> - what would we lose in terms of functionality if we don't implement >> the Hybrid flow? >> - how much additional effort is it to implement Hybrid flow? >> >> Thanks, >> >> Robert >> >> >> > >> > [1] - http://openid.net/specs/openid-connect-core-1_0.html >> > >> > [2] - https://openid.net/specs/openid-connect-discovery-1_0.html >> > >> > [3] - http://openid.net/specs/openid-connect-registration-1_0.html >> > >> > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090 >> > <http://openid.net/specs/openid-connect-registration-1_0.html> >> > Thank you. >> > >> >> > > > -- > *Hasini Witharana* > Undergraduate | Department of Computer Science and Engineering > University of Moratuwa > Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/> > -- *Hasini Witharana* Undergraduate | Department of Computer Science and Engineering University of Moratuwa Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
