Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Sat, 2018-05-05 at 00:01 +0530, Hasini Witharana wrote:
> 
> Does Apache Sling need to support any OpenID Connect Provider or
> specific
> OPs?

One option is to have use an 'cloud' provider like Google/Twitter as it
simplifies the local setup and is easy to add to our starter
application.

We should keep this extensible as we will likely want to add support
for other providers - I there is interest in adding Keycloak support.

Thanks,

Robert

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi all,

To obtain authentication from an OpenID Connect Provider(OP), a relying
party should first register itself in the OP. Then OP will give some
details as client_id, client_secret, endpoints and etc. This process can be
done manually or by using Dynamic Client Registration[1]. If we plan to get
the details by Dynamic Client Registration then we need to implement the
specification[1].

Does Apache Sling need to support any OpenID Connect Provider or specific
OPs?

[1] - https://openid.net/specs/openid-connect-registration-1_0.html

Thank You.

On Thu, May 3, 2018 at 11:46 PM, Hasini Witharana 
wrote:

> Hi Robert,
>
> I do not have edit access for https://cwiki.apache.org/confl
> uence/display/SLING/GSOC+201
> 8+-+Provide+an+OpenID+Connect+Authentication+Handler
> 
> Can you please check on this matter?
>
> Thank you.
>
> On Thu, May 3, 2018 at 1:55 PM, Robert Munteanu 
> wrote:
>
>> On Thu, 2018-05-03 at 13:34 +0530, Hasini Witharana wrote:
>> > Hi Robert,
>> >
>> > My username is "hasinidilanka" for Confluence account and I have sent
>> > a
>> > pull request[1] for OpenID Connect Handler.
>> >
>> > [1] - https://github.com/apache/sling-whiteboard/pull/13
>>
>> Nice :-) Bertrand already merged it, so you got your first commit
>> pushed to the Sling whiteboard.
>>
>> I've created https://cwiki.apache.org/confluence/display/SLING/GSOC+201
>> 8+-+Provide+an+OpenID+Connect+Authentication+Handler
>> 
>> and granted you
>> editing rights, please confirm that it works as expected.
>>
>> Robert
>>
>> >
>> > Thank You.
>> >
>> >
>> > On Wed, May 2, 2018 at 4:55 PM, Robert Munteanu 
>> > wrote:
>> >
>> > > On Sun, 2018-04-29 at 01:05 +0530, Hasini Witharana wrote:
>> > > > Hi Robert,
>> > > >
>> > > > I have done some changes to the estimated schedule and end
>> > > > deliverables
>> > > > sections, in the  proposal[1]. Please review and give your
>> > > > comments.
>> > > >
>> > > > [1] -
>> > > > https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle
>> > > > 6M5S
>> > > > rs0WsgHXEs/edit?usp=sharing
>> > >
>> > > Looks good overall. I would suggest moving the next iteration on
>> > > the
>> > > Apache Sling Wiki at https://cwiki.apache.org/confluence/display/SL
>> > > ING/
>> > >  - please send me your username and I'll grant you the necessary
>> > > rights.
>> > >
>> > > Also for the next iteration it would be good to understand what
>> > > kind of
>> > > testing you had in mind ( unit tests based on Mocks, integration
>> > > testing based on 'live' servers, etc ).
>> > >
>> > > Robert
>> > >
>> > > >
>> > > > Thank you.
>> > > >
>> > > > On Fri, Apr 27, 2018 at 4:54 PM, Robert Munteanu > > > > org>
>> > > > wrote:
>> > > >
>> > > > > Hi Hasini,
>> > > > >
>> > > > > On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
>> > > > > > Hi all,
>> > > > > >
>> > > > > > In OpenID Connect flow there are three main parties.
>> > > > > >
>> > > > > >1. End-User - Resource owner
>> > > > > >2. OpenID Connect Provider - Authorization Server that is
>> > > > > > capable
>> > > > > > of
>> > > > > >authenticating the End-User and providing claims to a
>> > > > > > Relying
>> > > > > > Party about
>> > > > > >the Authentication event and the End-User
>> > > > > >3. Relying Party - A client requiring End-User
>> > > > > > Authentication
>> > > > > > and
>> > > > > > Claims
>> > > > > >from an OpenID Connect Provider.
>> > > > > >
>> > > > > > When considering the OIDC flow, does sling act as an OpenID
>> > > > > > Connect
>> > > > > > provider or a relying party?
>> > > > >
>> > > > >
>> > > > > Sling IMO should act as a relying party.
>> > > > >
>> > > > > Robert
>> > > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>
> --
> *Hasini Witharana*
> Undergraduate | Department of Computer Science and Engineering
> University of Moratuwa
> Linkedin 
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Thu, 2018-05-03 at 13:34 +0530, Hasini Witharana wrote:
> Hi Robert,
> 
> My username is "hasinidilanka" for Confluence account and I have sent
> a
> pull request[1] for OpenID Connect Handler.
> 
> [1] - https://github.com/apache/sling-whiteboard/pull/13

Nice :-) Bertrand already merged it, so you got your first commit
pushed to the Sling whiteboard.

I've created https://cwiki.apache.org/confluence/display/SLING/GSOC+201
8+-+Provide+an+OpenID+Connect+Authentication+Handler and granted you
editing rights, please confirm that it works as expected.

Robert

> 
> Thank You.
> 
> 
> On Wed, May 2, 2018 at 4:55 PM, Robert Munteanu 
> wrote:
> 
> > On Sun, 2018-04-29 at 01:05 +0530, Hasini Witharana wrote:
> > > Hi Robert,
> > > 
> > > I have done some changes to the estimated schedule and end
> > > deliverables
> > > sections, in the  proposal[1]. Please review and give your
> > > comments.
> > > 
> > > [1] -
> > > https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle
> > > 6M5S
> > > rs0WsgHXEs/edit?usp=sharing
> > 
> > Looks good overall. I would suggest moving the next iteration on
> > the
> > Apache Sling Wiki at https://cwiki.apache.org/confluence/display/SL
> > ING/
> >  - please send me your username and I'll grant you the necessary
> > rights.
> > 
> > Also for the next iteration it would be good to understand what
> > kind of
> > testing you had in mind ( unit tests based on Mocks, integration
> > testing based on 'live' servers, etc ).
> > 
> > Robert
> > 
> > > 
> > > Thank you.
> > > 
> > > On Fri, Apr 27, 2018 at 4:54 PM, Robert Munteanu  > > org>
> > > wrote:
> > > 
> > > > Hi Hasini,
> > > > 
> > > > On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
> > > > > Hi all,
> > > > > 
> > > > > In OpenID Connect flow there are three main parties.
> > > > > 
> > > > >1. End-User - Resource owner
> > > > >2. OpenID Connect Provider - Authorization Server that is
> > > > > capable
> > > > > of
> > > > >authenticating the End-User and providing claims to a
> > > > > Relying
> > > > > Party about
> > > > >the Authentication event and the End-User
> > > > >3. Relying Party - A client requiring End-User
> > > > > Authentication
> > > > > and
> > > > > Claims
> > > > >from an OpenID Connect Provider.
> > > > > 
> > > > > When considering the OIDC flow, does sling act as an OpenID
> > > > > Connect
> > > > > provider or a relying party?
> > > > 
> > > > 
> > > > Sling IMO should act as a relying party.
> > > > 
> > > > Robert
> > > > 
> > > 
> > > 
> > > 
> > 
> > 
> 
> 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Robert,

My username is "hasinidilanka" for Confluence account and I have sent a
pull request[1] for OpenID Connect Handler.

[1] - https://github.com/apache/sling-whiteboard/pull/13

Thank You.


On Wed, May 2, 2018 at 4:55 PM, Robert Munteanu  wrote:

> On Sun, 2018-04-29 at 01:05 +0530, Hasini Witharana wrote:
> > Hi Robert,
> >
> > I have done some changes to the estimated schedule and end
> > deliverables
> > sections, in the  proposal[1]. Please review and give your comments.
> >
> > [1] -
> > https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5S
> > rs0WsgHXEs/edit?usp=sharing
>
> Looks good overall. I would suggest moving the next iteration on the
> Apache Sling Wiki at https://cwiki.apache.org/confluence/display/SLING/
>  - please send me your username and I'll grant you the necessary
> rights.
>
> Also for the next iteration it would be good to understand what kind of
> testing you had in mind ( unit tests based on Mocks, integration
> testing based on 'live' servers, etc ).
>
> Robert
>
> >
> > Thank you.
> >
> > On Fri, Apr 27, 2018 at 4:54 PM, Robert Munteanu 
> > wrote:
> >
> > > Hi Hasini,
> > >
> > > On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
> > > > Hi all,
> > > >
> > > > In OpenID Connect flow there are three main parties.
> > > >
> > > >1. End-User - Resource owner
> > > >2. OpenID Connect Provider - Authorization Server that is
> > > > capable
> > > > of
> > > >authenticating the End-User and providing claims to a Relying
> > > > Party about
> > > >the Authentication event and the End-User
> > > >3. Relying Party - A client requiring End-User Authentication
> > > > and
> > > > Claims
> > > >from an OpenID Connect Provider.
> > > >
> > > > When considering the OIDC flow, does sling act as an OpenID
> > > > Connect
> > > > provider or a relying party?
> > >
> > >
> > > Sling IMO should act as a relying party.
> > >
> > > Robert
> > >
> >
> >
> >
>
>


-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Wed, 2018-05-02 at 13:24 +0200, Bertrand Delacretaz wrote:
> Hi,
> 
> On Sat, Apr 28, 2018 at 9:35 PM, Hasini Witharana
>  wrote:
> > ...I have done some changes to the estimated schedule and end
> > deliverables
> > sections,...
> 
> One small but important thing, the deliverables should include
> contributing the implementation to Apache Sling.
> 
> Ideally (but I'll let Robert decide) the code should be developed in
> a
> Sling code repository, maybe
> https://github.com/apache/sling-whiteboard

That's a very good point, Bertrand. The code should be periodically
submitted as pull requests to the whiteboard repository.

Hasini - I suggest that you submit a pull request which just adds a
folder for your work and a README file to make sure everything works at
your end.

Robert

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Sun, 2018-04-29 at 01:05 +0530, Hasini Witharana wrote:
> Hi Robert,
> 
> I have done some changes to the estimated schedule and end
> deliverables
> sections, in the  proposal[1]. Please review and give your comments.
> 
> [1] -
> https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5S
> rs0WsgHXEs/edit?usp=sharing

Looks good overall. I would suggest moving the next iteration on the
Apache Sling Wiki at https://cwiki.apache.org/confluence/display/SLING/
 - please send me your username and I'll grant you the necessary
rights.

Also for the next iteration it would be good to understand what kind of
testing you had in mind ( unit tests based on Mocks, integration
testing based on 'live' servers, etc ).

Robert

> 
> Thank you.
> 
> On Fri, Apr 27, 2018 at 4:54 PM, Robert Munteanu 
> wrote:
> 
> > Hi Hasini,
> > 
> > On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
> > > Hi all,
> > > 
> > > In OpenID Connect flow there are three main parties.
> > > 
> > >1. End-User - Resource owner
> > >2. OpenID Connect Provider - Authorization Server that is
> > > capable
> > > of
> > >authenticating the End-User and providing claims to a Relying
> > > Party about
> > >the Authentication event and the End-User
> > >3. Relying Party - A client requiring End-User Authentication
> > > and
> > > Claims
> > >from an OpenID Connect Provider.
> > > 
> > > When considering the OIDC flow, does sling act as an OpenID
> > > Connect
> > > provider or a relying party?
> > 
> > 
> > Sling IMO should act as a relying party.
> > 
> > Robert
> > 
> 
> 
> 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Bertrand Delacretaz]

Hi,

On Sat, Apr 28, 2018 at 9:35 PM, Hasini Witharana
 wrote:
> ...I have done some changes to the estimated schedule and end deliverables
> sections,...

One small but important thing, the deliverables should include
contributing the implementation to Apache Sling.

Ideally (but I'll let Robert decide) the code should be developed in a
Sling code repository, maybe
https://github.com/apache/sling-whiteboard

-Bertrand

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Robert,

I have done some changes to the estimated schedule and end deliverables
sections, in the  proposal[1]. Please review and give your comments.

[1] -
https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing

Thank you.

On Fri, Apr 27, 2018 at 4:54 PM, Robert Munteanu  wrote:

> Hi Hasini,
>
> On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
> > Hi all,
> >
> > In OpenID Connect flow there are three main parties.
> >
> >1. End-User - Resource owner
> >2. OpenID Connect Provider - Authorization Server that is capable
> > of
> >authenticating the End-User and providing claims to a Relying
> > Party about
> >the Authentication event and the End-User
> >3. Relying Party - A client requiring End-User Authentication and
> > Claims
> >from an OpenID Connect Provider.
> >
> > When considering the OIDC flow, does sling act as an OpenID Connect
> > provider or a relying party?
>
>
> Sling IMO should act as a relying party.
>
> Robert
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

Hi Hasini,

On Fri, 2018-04-27 at 00:37 +0530, Hasini Witharana wrote:
> Hi all,
> 
> In OpenID Connect flow there are three main parties.
> 
>1. End-User - Resource owner
>2. OpenID Connect Provider - Authorization Server that is capable
> of
>authenticating the End-User and providing claims to a Relying
> Party about
>the Authentication event and the End-User
>3. Relying Party - A client requiring End-User Authentication and
> Claims
>from an OpenID Connect Provider.
> 
> When considering the OIDC flow, does sling act as an OpenID Connect
> provider or a relying party?


Sling IMO should act as a relying party.

Robert

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi all,

In OpenID Connect flow there are three main parties.

   1. End-User - Resource owner
   2. OpenID Connect Provider - Authorization Server that is capable of
   authenticating the End-User and providing claims to a Relying Party about
   the Authentication event and the End-User
   3. Relying Party - A client requiring End-User Authentication and Claims
   from an OpenID Connect Provider.

When considering the OIDC flow, does sling act as an OpenID Connect
provider or a relying party?
Thank You.

On Tue, Apr 24, 2018 at 5:36 PM, Bertrand Delacretaz  wrote:

> On Tue, Apr 24, 2018 at 11:16 AM, Robert Munteanu 
> wrote:
> > ...My only ask would be to keep all communications on the dev list, for
> > everyone's (current and future) benefit
>
> In the same vein I'd say all documentation should be on Apache Sling
> "properties", we have:
>
> - The wiki at https://cwiki.apache.org/confluence/display/SLING/Index
> that we usually use for drafts, brainstorming etc
> - http://issues.apache.org/jira/browse/SLING which we use for all
> coordination, not just bugs
> - README etc in the modules themselves
>
> So for example we (at least I) much prefer having things at
> cwiki.apache.org rather than Google Docs, as that belongs to the ASF
> and especially is easier to discover.
>
> -Bertrand
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Bertrand Delacretaz]

On Tue, Apr 24, 2018 at 11:16 AM, Robert Munteanu  wrote:
> ...My only ask would be to keep all communications on the dev list, for
> everyone's (current and future) benefit

In the same vein I'd say all documentation should be on Apache Sling
"properties", we have:

- The wiki at https://cwiki.apache.org/confluence/display/SLING/Index
that we usually use for drafts, brainstorming etc
- http://issues.apache.org/jira/browse/SLING which we use for all
coordination, not just bugs
- README etc in the modules themselves

So for example we (at least I) much prefer having things at
cwiki.apache.org rather than Google Docs, as that belongs to the ASF
and especially is easier to discover.

-Bertrand

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Ioan,


> I can help with regard to the Oauth / Oidc protocols and
> architecture so if you ever find yourself struggling, reach out and I'll
> find some time.


Thank you very much for your support and I will surely ask my doubts from
you.

On Tue, Apr 24, 2018 at 2:43 PM, Ioan Eugen Stan  wrote:

> Hello Hasini, Robert,
>
> I'm also going to work in this field - working to integrate Keycloak
> OpenId Connect with Sling. I should start on it next month.
>
> I will share more feedback as I am through the process and hope to
> collaborate.
>
> Good luck with you project.
>
> @Hasini: I can help with regard to the Oauth / Oidc protocols and
> architecture so if you ever find yourself struggling, reach out and I'll
> find some time.
>
> /Eugen
>
>
> On 24.04.2018 12:06, Robert Munteanu wrote:
> > Hi Hasini,
> >
> > On Tue, 2018-04-24 at 00:51 +0530, Hasini Witharana wrote:
> >> Hi Robert,
> >>
> >> I have been selected to the $subject GSoC project. I am really
> >> looking
> >> forward to work with you.
> > Congratulations, this is great news!
> >
> >> The below [1] is the proposal for the project. There are two
> >> approaches for
> >> the OIDC implementation.
> >>
> >>
> >>1. Use Apache Oltu OAuth2.0 implementation as a dependency and
> >> build
> >>OIDC platform on top of it.
> >>2. Build OAuth2.0 and OIDC implementations from the scratch
> >>
> >>
> >> Since the time is limited, I think first approach is more
> >> suitable.  I
> >> would really like to have some advises from you for the initial
> >> starting of
> >> the project and community bounding.  Thank you very much for giving
> >> me this
> >> opportunity.
> > Absolutely, I agree that option 1 is the way to go. We are not in the
> > business of developing and maintaining OAuth implementations :-)
> >
> > I would suggest that first you get yourself familiar with Sling,
> > following the documentation at [2]. For your specific scenario I guess
> > that:
> >
> > 1. Running Sling
> > 2. Deploying a new OSGi bundle in Sling
> > 3. Updating the initial content from Sling
> >
> > would be the way to go and would cover 99% of the work that you need to
> > do in Sling.
> >
> > Then it would be good to address the original comments on your proposal
> > that I posted at [3] and adjust the plan accordingly.
> >
> > Other than that, please use dev@sling.apache.org for any queries that
> > you might have - it's our main communication channel and all the right
> > people are here.
> >
> > Welcome!
> >
> > Robert
> >
> >>
> >> [1] -  https://docs.google.com/document/d/1ki_mv_
> >> ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing
> >>
> > [2]: https://sling.apache.org/documentation/getting-started.html
> > [3]: https://lists.apache.org/thread.html/34ed2da7489b285fe3b2e4da6dbe82
> 19c94a7f5353d156fba4538824@%3Cdev.sling.apache.org%3E
>
>
>


-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Robert,

I will go through the documentation and inform my progress.

Then it would be good to address the original comments on your proposal
> that I posted at [3] and adjust the plan accordingly.
>

I will send the refined proposal to you as soon as possible.

Thank you.

On Tue, Apr 24, 2018 at 2:36 PM, Robert Munteanu  wrote:

> Hi Hasini,
>
> On Tue, 2018-04-24 at 00:51 +0530, Hasini Witharana wrote:
> > Hi Robert,
> >
> > I have been selected to the $subject GSoC project. I am really
> > looking
> > forward to work with you.
>
> Congratulations, this is great news!
>
> >
> > The below [1] is the proposal for the project. There are two
> > approaches for
> > the OIDC implementation.
> >
> >
> >1. Use Apache Oltu OAuth2.0 implementation as a dependency and
> > build
> >OIDC platform on top of it.
> >2. Build OAuth2.0 and OIDC implementations from the scratch
> >
> >
> > Since the time is limited, I think first approach is more
> > suitable.  I
> > would really like to have some advises from you for the initial
> > starting of
> > the project and community bounding.  Thank you very much for giving
> > me this
> > opportunity.
>
> Absolutely, I agree that option 1 is the way to go. We are not in the
> business of developing and maintaining OAuth implementations :-)
>
> I would suggest that first you get yourself familiar with Sling,
> following the documentation at [2]. For your specific scenario I guess
> that:
>
> 1. Running Sling
> 2. Deploying a new OSGi bundle in Sling
> 3. Updating the initial content from Sling
>
> would be the way to go and would cover 99% of the work that you need to
> do in Sling.
>
> Then it would be good to address the original comments on your proposal
> that I posted at [3] and adjust the plan accordingly.
>
> Other than that, please use dev@sling.apache.org for any queries that
> you might have - it's our main communication channel and all the right
> people are here.
>
> Welcome!
>
> Robert
>
> >
> >
> > [1] -  https://docs.google.com/document/d/1ki_mv_
> > ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing
> >
>
> [2]: https://sling.apache.org/documentation/getting-started.html
> [3]: https://lists.apache.org/thread.html/34ed2da7489b285fe3b2e4da6dbe82
> 19c94a7f5353d156fba4538824@%3Cdev.sling.apache.org%3E
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Tue, 2018-04-24 at 12:13 +0300, Ioan Eugen Stan wrote:
> Hello Hasini, Robert,
> 
> I'm also going to work in this field - working to integrate Keycloak
> OpenId Connect with Sling. I should start on it next month.

That's great news as well :-)

> 
> I will share more feedback as I am through the process and hope to
> collaborate.

Your input would be very much welcomed in this GSOC project and with
Apache Sling overall.

My only ask would be to keep all communications on the dev list, for
everyone's (current and future) benefit.

Thanks,

Robert
> 
> Good luck with you project.
> 
> @Hasini: I can help with regard to the Oauth / Oidc protocols and
> architecture so if you ever find yourself struggling, reach out and
> I'll
> find some time.
> 
> /Eugen
> 
> 
> On 24.04.2018 12:06, Robert Munteanu wrote:
> > Hi Hasini,
> > 
> > On Tue, 2018-04-24 at 00:51 +0530, Hasini Witharana wrote:
> > > Hi Robert,
> > > 
> > > I have been selected to the $subject GSoC project. I am really
> > > looking
> > > forward to work with you.
> > 
> > Congratulations, this is great news!
> > 
> > > The below [1] is the proposal for the project. There are two
> > > approaches for
> > > the OIDC implementation.
> > > 
> > > 
> > >1. Use Apache Oltu OAuth2.0 implementation as a dependency and
> > > build
> > >OIDC platform on top of it.
> > >2. Build OAuth2.0 and OIDC implementations from the scratch
> > > 
> > > 
> > > Since the time is limited, I think first approach is more
> > > suitable.  I
> > > would really like to have some advises from you for the initial
> > > starting of
> > > the project and community bounding.  Thank you very much for
> > > giving
> > > me this
> > > opportunity.
> > 
> > Absolutely, I agree that option 1 is the way to go. We are not in
> > the
> > business of developing and maintaining OAuth implementations :-)
> > 
> > I would suggest that first you get yourself familiar with Sling,
> > following the documentation at [2]. For your specific scenario I
> > guess
> > that:
> > 
> > 1. Running Sling
> > 2. Deploying a new OSGi bundle in Sling
> > 3. Updating the initial content from Sling
> > 
> > would be the way to go and would cover 99% of the work that you
> > need to
> > do in Sling.
> > 
> > Then it would be good to address the original comments on your
> > proposal
> > that I posted at [3] and adjust the plan accordingly.
> > 
> > Other than that, please use dev@sling.apache.org for any queries
> > that
> > you might have - it's our main communication channel and all the
> > right
> > people are here.
> > 
> > Welcome!
> > 
> > Robert
> > 
> > > 
> > > [1] -  https://docs.google.com/document/d/1ki_mv_
> > > ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing
> > > 
> > 
> > [2]: https://sling.apache.org/documentation/getting-started.html
> > [3]: https://lists.apache.org/thread.html/34ed2da7489b285fe3b2e4da6
> > dbe8219c94a7f5353d156fba4538824@%3Cdev.sling.apache.org%3E
> 
> 

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Ioan Eugen Stan]

Hello Hasini, Robert,

I'm also going to work in this field - working to integrate Keycloak
OpenId Connect with Sling. I should start on it next month.

I will share more feedback as I am through the process and hope to
collaborate.

Good luck with you project.

@Hasini: I can help with regard to the Oauth / Oidc protocols and
architecture so if you ever find yourself struggling, reach out and I'll
find some time.

/Eugen


On 24.04.2018 12:06, Robert Munteanu wrote:
> Hi Hasini,
>
> On Tue, 2018-04-24 at 00:51 +0530, Hasini Witharana wrote:
>> Hi Robert,
>>
>> I have been selected to the $subject GSoC project. I am really
>> looking
>> forward to work with you.
> Congratulations, this is great news!
>
>> The below [1] is the proposal for the project. There are two
>> approaches for
>> the OIDC implementation.
>>
>>
>>1. Use Apache Oltu OAuth2.0 implementation as a dependency and
>> build
>>OIDC platform on top of it.
>>2. Build OAuth2.0 and OIDC implementations from the scratch
>>
>>
>> Since the time is limited, I think first approach is more
>> suitable.  I
>> would really like to have some advises from you for the initial
>> starting of
>> the project and community bounding.  Thank you very much for giving
>> me this
>> opportunity.
> Absolutely, I agree that option 1 is the way to go. We are not in the
> business of developing and maintaining OAuth implementations :-)
>
> I would suggest that first you get yourself familiar with Sling,
> following the documentation at [2]. For your specific scenario I guess
> that:
>
> 1. Running Sling
> 2. Deploying a new OSGi bundle in Sling
> 3. Updating the initial content from Sling
>
> would be the way to go and would cover 99% of the work that you need to
> do in Sling.
>
> Then it would be good to address the original comments on your proposal
> that I posted at [3] and adjust the plan accordingly.
>
> Other than that, please use dev@sling.apache.org for any queries that
> you might have - it's our main communication channel and all the right
> people are here.
>
> Welcome!
>
> Robert
>
>>
>> [1] -  https://docs.google.com/document/d/1ki_mv_
>> ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing
>>
> [2]: https://sling.apache.org/documentation/getting-started.html
> [3]: 
> https://lists.apache.org/thread.html/34ed2da7489b285fe3b2e4da6dbe8219c94a7f5353d156fba4538824@%3Cdev.sling.apache.org%3E




signature.asc
Description: OpenPGP digital signature

Re: [GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

Hi Hasini,

On Tue, 2018-04-24 at 00:51 +0530, Hasini Witharana wrote:
> Hi Robert,
> 
> I have been selected to the $subject GSoC project. I am really
> looking
> forward to work with you.

Congratulations, this is great news!

> 
> The below [1] is the proposal for the project. There are two
> approaches for
> the OIDC implementation.
> 
> 
>1. Use Apache Oltu OAuth2.0 implementation as a dependency and
> build
>OIDC platform on top of it.
>2. Build OAuth2.0 and OIDC implementations from the scratch
> 
> 
> Since the time is limited, I think first approach is more
> suitable.  I
> would really like to have some advises from you for the initial
> starting of
> the project and community bounding.  Thank you very much for giving
> me this
> opportunity.

Absolutely, I agree that option 1 is the way to go. We are not in the
business of developing and maintaining OAuth implementations :-)

I would suggest that first you get yourself familiar with Sling,
following the documentation at [2]. For your specific scenario I guess
that:

1. Running Sling
2. Deploying a new OSGi bundle in Sling
3. Updating the initial content from Sling

would be the way to go and would cover 99% of the work that you need to
do in Sling.

Then it would be good to address the original comments on your proposal
that I posted at [3] and adjust the plan accordingly.

Other than that, please use dev@sling.apache.org for any queries that
you might have - it's our main communication channel and all the right
people are here.

Welcome!

Robert

> 
> 
> [1] -  https://docs.google.com/document/d/1ki_mv_
> ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing
> 

[2]: https://sling.apache.org/documentation/getting-started.html
[3]: 
https://lists.apache.org/thread.html/34ed2da7489b285fe3b2e4da6dbe8219c94a7f5353d156fba4538824@%3Cdev.sling.apache.org%3E

[GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Robert,

I have been selected to the $subject GSoC project. I am really looking
forward to work with you.

The below [1] is the proposal for the project. There are two approaches for
the OIDC implementation.


   1. Use Apache Oltu OAuth2.0 implementation as a dependency and build
   OIDC platform on top of it.
   2. Build OAuth2.0 and OIDC implementations from the scratch


Since the time is limited, I think first approach is more suitable.  I
would really like to have some advises from you for the initial starting of
the project and community bounding.  Thank you very much for giving me this
opportunity.


[1] -  https://docs.google.com/document/d/1ki_mv_
ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing

Thank You.

-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Andrei Dulvac]

Hi,
I wanted to make the same point :)

On top of that, while oltu's a cool project, there have been some
inaccuracies in implementing the spec because both the client modules and
the server were implemented together.
Some of my first patches in Apache were in Oltu.

So I bet you might run into some issues when you're building a new
integration, which means some fixes in oltu would be needed.
But Bertrand, as you said - there are always options, including to adopt
the code in sling, if needed. So I'd cross that bridge when you get there.

- Andrei


On Thu, Mar 29, 2018 at 10:16 AM Bertrand Delacretaz 
wrote:

> Hi,
>
> On Wed, Mar 28, 2018 at 5:15 PM, Hasini Witharana
>  wrote:
> > Apache Oltu has an implementation[1] for OpenID Connect as well.
> ...
> > Can I use the jar files of this as a dependency?
> ...
>
> Note that the Oltu project is likely to move to
> http://attic.apache.org/ soon [1], becoming inactive with no new
> releases.
>
> That's not an immediate problem, but if you need changes in Oltu at
> some point it's a bit more complicated. I suppose Sling could "adopt"
> the relevant Oltu modules if needed.
>
> For now I'd say you can ignore this Attic issue for the GSoC project,
> I just wanted to make sure we are aware of this.
>
> -Bertrand
>
> [1]
> https://lists.apache.org/thread.html/283c7bbfd3123990872a1a7e30080e9010ff7b20568408fc3ff7f930@%3Cdev.oltu.apache.org%3E
>

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Bertrand Delacretaz]

Hi,

On Wed, Mar 28, 2018 at 5:15 PM, Hasini Witharana
 wrote:
> Apache Oltu has an implementation[1] for OpenID Connect as well.
...
> Can I use the jar files of this as a dependency?
...

Note that the Oltu project is likely to move to
http://attic.apache.org/ soon [1], becoming inactive with no new
releases.

That's not an immediate problem, but if you need changes in Oltu at
some point it's a bit more complicated. I suppose Sling could "adopt"
the relevant Oltu modules if needed.

For now I'd say you can ignore this Attic issue for the GSoC project,
I just wanted to make sure we are aware of this.

-Bertrand

[1] 
https://lists.apache.org/thread.html/283c7bbfd3123990872a1a7e30080e9010ff7b20568408fc3ff7f930@%3Cdev.oltu.apache.org%3E

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Wed, 2018-03-28 at 20:45 +0530, Hasini Witharana wrote:
> Apache Oltu has an implementation[1] for OpenID Connect as well.
> 
> [1] - https://github.com/apache/oltu/tree/trunk/openid-connect
> 
> Can I use the jar files of this as a dependency?

Yes, absolutely. We use Maven for dependency management and it should
be possible for you to just depend on the Oltu jars.

Robert

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

Hi Hasini,

The proposal looks good to me, thanks for preparing it!

I've added some specific comments below where I think we should clarify
and/or expand some items/

On Mon, 2018-03-26 at 03:35 +0530, Hasini Witharana wrote:
> Hi all,
> 
> The below [1] is the proposal for the project "OpenID Connect
> authentication handler for Apache Sling". Please review and give your
> comments.
> 
> [1] -
> https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5S
> rs0WsgHXEs/edit?usp=sharing

I took a look at the proposal and my comments are:

- it would be good to include testing as an ongoing effort, rather than
a phase. We very much value automated tests running as part of the
build process so please factory that into your proposal.
- each milestone should have a deliverable, as in 'we can now recognize
authentication data from an external system' or 'we can now create
users based on the authentication data received from an external
system'
- implementing the auth flow is only part of the project, as Apache
Sling has its user backend stored in Oak, so users would also need to
be created, see for instance [2]

Those would be my comments, if anyone else would like to contribute
please do :-)

Robert


[2]: https://github.com/apache/sling-org-apache-sling-auth-xing-oauth/b
lob/164010f83ac77fb76d707e1bc6b7e22382e8247d/src/main/java/org/apache/s
ling/auth/xing/oauth/impl/DefaultXingOauthUserManager.java#L116-L141

> 
> On Fri, Mar 23, 2018 at 10:38 PM, Hasini Witharana  il.com>
> wrote:
> 
> > Hi Robert,
> > 
> > what would we lose in terms of functionality if we don't implement
> > > the Hybrid flow?
> > 
> > 
> > In the Hybrid flow, we will be able to issue tokens separately for
> > front
> > channel and back channel.
> > 
> > How much additional effort is it to implement Hybrid flow?
> > 
> > 
> > Hybrid flow is the combination of the two flows. And for the Hybrid
> > flow
> > there is a new variable as "c_Hash". To implement the Hybrid flow
> > we need
> > to combine the flows and implement "c_hash" value.
> > 
> > Can you please direct me to Apache Sling Repository for OAuth2.0
> > implementation?
> > 
> > Thank you.
> > 
> > On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu  > g>
> > wrote:
> > 
> > > Hi Hasini,
> > > 
> > > Thank you for the idea submission and for the description. Some
> > > more
> > > comments inline.
> > > 
> > > On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote:
> > > > Hi all,
> > > > 
> > > > I am an undergraduate from University of Moratuwa, Computer
> > > > Science
> > > > and
> > > > Engineering department. I am interested in the $subject project
> > > > idea.
> > > > I
> > > > have worked with a OpenID Connect certification project
> > > > previously.
> > > > 
> > > > OpenID Connect(OIDC) is an authentication protocol based on
> > > > OAuth2.0
> > > > family
> > > > of specifications. There are three main specifications[1][2][3]
> > > > written for
> > > > OIDC. Since the project goal is to create an OIDC
> > > > authentication
> > > > handler,
> > > > we need to focus on [1] specification.
> > > > 
> > > > There are three main flows for the authentication process given
> > > > in
> > > > the
> > > > specification[1].
> > > > 
> > > >1. *Authentication code flow* *(Basic)* - This flow will
> > > > first
> > > > issue a
> > > >code in authorization endpoint and that code can be used to
> > > > issue
> > > > an access
> > > >token and id_token from token endpoint. In this flow client
> > > > secret
> > > > is
> > > >shared to recognize the relying party. So this flow can be
> > > > used
> > > > for
> > > >applications that have a secure sever side applications.
> > > >2. *Implicit flow* - This flow will not issue a code but it
> > > > will
> > > > issue
> > > >an access token and id_token from the authorization
> > > > endpoint. In
> > > > this flow
> > > >client secret is not shared so this flow is preferred for
> > > > single
> > > > web page
> > > >applications.
> > > >3. *Hybrid flow* - This is combination of the previous two
> > > > flows.
> > > > 
> > > > Basic and Implicit flows must be supported by an OIDC
> > > > Authentication
> > > > Handler. Hybrid flow is not mandatory as per the
> > > > specification[1].
> > > > The
> > > > blog[4] written by me on OIDC Basics will help to understand
> > > > the
> > > > basics
> > > > without reading the whole specification.
> > > > 
> > > > Should we try to implement all three flows or the first two
> > > > flows(Basic and
> > > > Implicit) ?
> > > 
> > > My first thought would be to make sure we don't have too large a
> > > scope
> > > with a GSoC idea, to make sure that it can be completed with good
> > > quality in the allocated time.
> > > 
> > > So my questions would be
> > > 
> > > - what would we lose in terms of functionality if we don't
> > > implement
> > > the Hybrid flow?
> > > - how much additional effort is it to implement 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Apache Oltu has an implementation[1] for OpenID Connect as well.

[1] - https://github.com/apache/oltu/tree/trunk/openid-connect

Can I use the jar files of this as a dependency?

On Wed, Mar 28, 2018 at 4:09 PM, Robert Munteanu  wrote:

> On Wed, 2018-03-28 at 13:39 +0300, Robert Munteanu wrote:
> > What do you mean by exporting? You can definitely use the jar files
> > as
> > dependencies, the are no problems from a licensing of technical point
> > of view.
>
> I meant licensing *or* technical point of view.
>
> Robert
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Wed, 2018-03-28 at 13:39 +0300, Robert Munteanu wrote:
> What do you mean by exporting? You can definitely use the jar files
> as
> dependencies, the are no problems from a licensing of technical point
> of view.

I meant licensing *or* technical point of view.

Robert

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Tue, 2018-03-27 at 20:13 +0530, Hasini Witharana wrote:
>  Hi,
> 
> > There is an implementation in Apache Oltu
> 
> that we can definitely use.
> 
> 
> Can I export the implementation of OAuth2.0 in Apache Oltu to Apache
> Sling?
> Or do I have to implement OAuth2.0 from the scratch?

What do you mean by exporting? You can definitely use the jar files as
dependencies, the are no problems from a licensing of technical point
of view.

Robert

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

 Hi,

> There is an implementation in Apache Oltu

that we can definitely use.


Can I export the implementation of OAuth2.0 in Apache Oltu to Apache Sling?
Or do I have to implement OAuth2.0 from the scratch?

Thank you.

On Tue, Mar 27, 2018 at 2:15 PM, Robert Munteanu  wrote:

> On Fri, 2018-03-23 at 22:38 +0530, Hasini Witharana wrote:
> >
> > Can you please direct me to Apache Sling Repository for OAuth2.0
> > implementation?
>
> We don't have one yet :-) There is an implementation in Apache Oltu
> that we can definitely use.
>
>   https://github.com/apache/oltu
>
> I know it's being used in OSGi environments so that's a good start.
>
> Robert
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

On Fri, 2018-03-23 at 22:38 +0530, Hasini Witharana wrote:
> 
> Can you please direct me to Apache Sling Repository for OAuth2.0
> implementation?

We don't have one yet :-) There is an implementation in Apache Oltu
that we can definitely use.

  https://github.com/apache/oltu

I know it's being used in OSGi environments so that's a good start.

Robert

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi all,

The below [1] is the proposal for the project "OpenID Connect
authentication handler for Apache Sling". Please review and give your
comments.

[1] -
https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5Srs0WsgHXEs/edit?usp=sharing

Thank you.

On Fri, Mar 23, 2018 at 10:38 PM, Hasini Witharana 
wrote:

> Hi Robert,
>
> what would we lose in terms of functionality if we don't implement
>> the Hybrid flow?
>
>
> In the Hybrid flow, we will be able to issue tokens separately for front
> channel and back channel.
>
> How much additional effort is it to implement Hybrid flow?
>
>
> Hybrid flow is the combination of the two flows. And for the Hybrid flow
> there is a new variable as "c_Hash". To implement the Hybrid flow we need
> to combine the flows and implement "c_hash" value.
>
> Can you please direct me to Apache Sling Repository for OAuth2.0
> implementation?
>
> Thank you.
>
> On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu 
> wrote:
>
>> Hi Hasini,
>>
>> Thank you for the idea submission and for the description. Some more
>> comments inline.
>>
>> On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote:
>> > Hi all,
>> >
>> > I am an undergraduate from University of Moratuwa, Computer Science
>> > and
>> > Engineering department. I am interested in the $subject project idea.
>> > I
>> > have worked with a OpenID Connect certification project previously.
>> >
>> > OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0
>> > family
>> > of specifications. There are three main specifications[1][2][3]
>> > written for
>> > OIDC. Since the project goal is to create an OIDC authentication
>> > handler,
>> > we need to focus on [1] specification.
>> >
>> > There are three main flows for the authentication process given in
>> > the
>> > specification[1].
>> >
>> >1. *Authentication code flow* *(Basic)* - This flow will first
>> > issue a
>> >code in authorization endpoint and that code can be used to issue
>> > an access
>> >token and id_token from token endpoint. In this flow client secret
>> > is
>> >shared to recognize the relying party. So this flow can be used
>> > for
>> >applications that have a secure sever side applications.
>> >2. *Implicit flow* - This flow will not issue a code but it will
>> > issue
>> >an access token and id_token from the authorization endpoint. In
>> > this flow
>> >client secret is not shared so this flow is preferred for single
>> > web page
>> >applications.
>> >3. *Hybrid flow* - This is combination of the previous two flows.
>> >
>> > Basic and Implicit flows must be supported by an OIDC Authentication
>> > Handler. Hybrid flow is not mandatory as per the specification[1].
>> > The
>> > blog[4] written by me on OIDC Basics will help to understand the
>> > basics
>> > without reading the whole specification.
>> >
>> > Should we try to implement all three flows or the first two
>> > flows(Basic and
>> > Implicit) ?
>>
>> My first thought would be to make sure we don't have too large a scope
>> with a GSoC idea, to make sure that it can be completed with good
>> quality in the allocated time.
>>
>> So my questions would be
>>
>> - what would we lose in terms of functionality if we don't implement
>> the Hybrid flow?
>> - how much additional effort is it to implement Hybrid flow?
>>
>> Thanks,
>>
>> Robert
>>
>>
>> >
>> > [1] - http://openid.net/specs/openid-connect-core-1_0.html
>> >
>> > [2] - https://openid.net/specs/openid-connect-discovery-1_0.html
>> >
>> > [3] - http://openid.net/specs/openid-connect-registration-1_0.html
>> >
>> > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090
>> > 
>> > Thank you.
>> >
>>
>>
>
>
> --
> *Hasini Witharana*
> Undergraduate | Department of Computer Science and Engineering
> University of Moratuwa
> Linkedin 
>



-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi Robert,

what would we lose in terms of functionality if we don't implement
> the Hybrid flow?


In the Hybrid flow, we will be able to issue tokens separately for front
channel and back channel.

How much additional effort is it to implement Hybrid flow?


Hybrid flow is the combination of the two flows. And for the Hybrid flow
there is a new variable as "c_Hash". To implement the Hybrid flow we need
to combine the flows and implement "c_hash" value.

Can you please direct me to Apache Sling Repository for OAuth2.0
implementation?

Thank you.

On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu  wrote:

> Hi Hasini,
>
> Thank you for the idea submission and for the description. Some more
> comments inline.
>
> On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote:
> > Hi all,
> >
> > I am an undergraduate from University of Moratuwa, Computer Science
> > and
> > Engineering department. I am interested in the $subject project idea.
> > I
> > have worked with a OpenID Connect certification project previously.
> >
> > OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0
> > family
> > of specifications. There are three main specifications[1][2][3]
> > written for
> > OIDC. Since the project goal is to create an OIDC authentication
> > handler,
> > we need to focus on [1] specification.
> >
> > There are three main flows for the authentication process given in
> > the
> > specification[1].
> >
> >1. *Authentication code flow* *(Basic)* - This flow will first
> > issue a
> >code in authorization endpoint and that code can be used to issue
> > an access
> >token and id_token from token endpoint. In this flow client secret
> > is
> >shared to recognize the relying party. So this flow can be used
> > for
> >applications that have a secure sever side applications.
> >2. *Implicit flow* - This flow will not issue a code but it will
> > issue
> >an access token and id_token from the authorization endpoint. In
> > this flow
> >client secret is not shared so this flow is preferred for single
> > web page
> >applications.
> >3. *Hybrid flow* - This is combination of the previous two flows.
> >
> > Basic and Implicit flows must be supported by an OIDC Authentication
> > Handler. Hybrid flow is not mandatory as per the specification[1].
> > The
> > blog[4] written by me on OIDC Basics will help to understand the
> > basics
> > without reading the whole specification.
> >
> > Should we try to implement all three flows or the first two
> > flows(Basic and
> > Implicit) ?
>
> My first thought would be to make sure we don't have too large a scope
> with a GSoC idea, to make sure that it can be completed with good
> quality in the allocated time.
>
> So my questions would be
>
> - what would we lose in terms of functionality if we don't implement
> the Hybrid flow?
> - how much additional effort is it to implement Hybrid flow?
>
> Thanks,
>
> Robert
>
>
> >
> > [1] - http://openid.net/specs/openid-connect-core-1_0.html
> >
> > [2] - https://openid.net/specs/openid-connect-discovery-1_0.html
> >
> > [3] - http://openid.net/specs/openid-connect-registration-1_0.html
> >
> > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090
> > 
> > Thank you.
> >
>
>


-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 

Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Robert Munteanu]

Hi Hasini,

Thank you for the idea submission and for the description. Some more
comments inline.

On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote:
> Hi all,
> 
> I am an undergraduate from University of Moratuwa, Computer Science
> and
> Engineering department. I am interested in the $subject project idea.
> I
> have worked with a OpenID Connect certification project previously.
> 
> OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0
> family
> of specifications. There are three main specifications[1][2][3]
> written for
> OIDC. Since the project goal is to create an OIDC authentication
> handler,
> we need to focus on [1] specification.
> 
> There are three main flows for the authentication process given in
> the
> specification[1].
> 
>1. *Authentication code flow* *(Basic)* - This flow will first
> issue a
>code in authorization endpoint and that code can be used to issue
> an access
>token and id_token from token endpoint. In this flow client secret
> is
>shared to recognize the relying party. So this flow can be used
> for
>applications that have a secure sever side applications.
>2. *Implicit flow* - This flow will not issue a code but it will
> issue
>an access token and id_token from the authorization endpoint. In
> this flow
>client secret is not shared so this flow is preferred for single
> web page
>applications.
>3. *Hybrid flow* - This is combination of the previous two flows.
> 
> Basic and Implicit flows must be supported by an OIDC Authentication
> Handler. Hybrid flow is not mandatory as per the specification[1].
> The
> blog[4] written by me on OIDC Basics will help to understand the
> basics
> without reading the whole specification.
> 
> Should we try to implement all three flows or the first two
> flows(Basic and
> Implicit) ?

My first thought would be to make sure we don't have too large a scope
with a GSoC idea, to make sure that it can be completed with good
quality in the allocated time.

So my questions would be

- what would we lose in terms of functionality if we don't implement
the Hybrid flow?
- how much additional effort is it to implement Hybrid flow?

Thanks,

Robert


> 
> [1] - http://openid.net/specs/openid-connect-core-1_0.html
> 
> [2] - https://openid.net/specs/openid-connect-discovery-1_0.html
> 
> [3] - http://openid.net/specs/openid-connect-registration-1_0.html
> 
> [4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090
> 
> Thank you.
> 

[Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler

[Hasini Witharana]

Hi all,

I am an undergraduate from University of Moratuwa, Computer Science and
Engineering department. I am interested in the $subject project idea. I
have worked with a OpenID Connect certification project previously.

OpenID Connect(OIDC) is an authentication protocol based on OAuth2.0 family
of specifications. There are three main specifications[1][2][3] written for
OIDC. Since the project goal is to create an OIDC authentication handler,
we need to focus on [1] specification.

There are three main flows for the authentication process given in the
specification[1].

   1. *Authentication code flow* *(Basic)* - This flow will first issue a
   code in authorization endpoint and that code can be used to issue an access
   token and id_token from token endpoint. In this flow client secret is
   shared to recognize the relying party. So this flow can be used for
   applications that have a secure sever side applications.
   2. *Implicit flow* - This flow will not issue a code but it will issue
   an access token and id_token from the authorization endpoint. In this flow
   client secret is not shared so this flow is preferred for single web page
   applications.
   3. *Hybrid flow* - This is combination of the previous two flows.

Basic and Implicit flows must be supported by an OIDC Authentication
Handler. Hybrid flow is not mandatory as per the specification[1]. The
blog[4] written by me on OIDC Basics will help to understand the basics
without reading the whole specification.

Should we try to implement all three flows or the first two flows(Basic and
Implicit) ?

[1] - http://openid.net/specs/openid-connect-core-1_0.html

[2] - https://openid.net/specs/openid-connect-discovery-1_0.html

[3] - http://openid.net/specs/openid-connect-registration-1_0.html

[4] - https://medium.com/@hasiniwitharana/openid-connect-532465308090

Thank you.

-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin