Hi Stein, Really appreciate your response. It was quite precise.
I have a quick question, there are many web applications that lets you use gmail or facebook login to authenticate yourself. If OAuth doesn’t support re-authentication, how does the applications ensure that it is the same user that it is interacting with. Could be an issue with privacy or sensitive data. May be OAuth is not meant to solve this problem yet. I am just trying to see what is the solution. Some of my colleagues have used OpenID but Google has deprecated it, so I am not sure if that is the right approach either. A little perplexed and frustrated since I had been working on this for a while now. ☹ Regards, Jude. Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319 (515) 281-3378 | ashwanth.tiburt...@iwd.iowa.gov<mailto:ashwanth.tiburt...@iwd.iowa.gov> From: Stein Welberg [mailto:st...@onegini.com] Sent: Wednesday, April 22, 2015 12:39 AM To: user@oltu.apache.org Cc: Jasha Joachimsthal Subject: Re: Force re-authentication Hi Jude, Oltu does not support such a scenario because the scenario you are describing is not part of the OAuth specification nor does it have anything to do with it :-). There are specifications to revoke an access token [1], as you already found out google allows you to do this. However, it does not enforce the scenario you are looking for. I’m afraid you have to look for something else because this is not standardised and therefore all providers have chosen a different path. I’m afraid you are on your own on this. [1] https://tools.ietf.org/html/rfc7009 Met vriendelijke groet / Kind regards, Stein Welberg | CTO [cid:image001.png@01D07CDF.83757A90] M: +31639110574 | st...@onegini.com<mailto:st...@onegini.com> | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com<http://www.onegini.com/> On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <ashwanth.tiburt...@iwd.iowa.gov<mailto:ashwanth.tiburt...@iwd.iowa.gov>> wrote: Hi all, I m using Apache Oltu as OAuth library to authenticate users against Google, Yahoo and Microsoft. It has worked great. Within my application I need to ask the user to re-authenticate themselves before accessing certain pages. This is what I have found so far on this topic. Google – lets you revoke access token using “https://accounts.google.com/o/oauth2/revoke?token=”. But this doesn’t force re-authentication by password entry but displays only the consent screen again. Yahoo – has no support for this. We have to log the user out using something like https://login.yahoo.com/config/login?logout=1. Microsoft – has url “https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL” to support this behavior. I am in the process of testing it. Does Oltu have any apis related to this functionality? Has any open tried to implement this? Any help is much appreciated. Thank you. Regards, Jude.
