Please unsubscribe me from this group or tell me how. Thanks Will
Will Berger (p) 770.294.5329 wber...@leadoutcome.com http://www.leadoutcome.com <http://www.leadoutcome.com> <https://www.facebook.com/LeadOutcome> <http://www.linkedin.com/pub/will-berger/1/36b/21> <https://twitter.com/LeadOutcome> On Wed, Apr 22, 2015 at 1:31 PM, Jasha Joachimsthal <ja...@apache.org> wrote: > > > > On 22 April 2015 at 18:54, Tiburtius, Ashwanth [IWD] < > ashwanth.tiburt...@iwd.iowa.gov> wrote: > >> Hi Stein, >> >> >> >> Really appreciate your response. It was quite precise. >> >> >> >> I have a quick question, there are many web applications that lets you >> use gmail or facebook login to authenticate yourself. If OAuth doesn’t >> support re-authentication, how does the applications ensure that it is the >> same user that it is interacting with. Could be an issue with privacy or >> sensitive data. May be OAuth is not meant to solve this problem yet. I am >> just trying to see what is the solution. Some of my colleagues have used >> OpenID but Google has deprecated it, so I am not sure if that is the right >> approach either. A little perplexed and frustrated since I had been working >> on this for a while now. L >> > > What OAuth solves is that the OAuth client can get access to the user's > resources without storing the real credentials. It's up to the OAuth > provider how the user authenticates. This can be done via username and > password, but other methods are also possible like the Windows domain > login. > Social OAuth providers like Google and Facebook have long lasting sessions > that are also used when the user is going to authenticate from an OAuth > client. As consumer I wouldn't appreciate it if I'm logged out from Gmail > because some other app that uses Google's OAuth wants to be sure that I am > really me. > > If you want to protect sensitive or privacy data in your client and you > want to be more sure that you interact with the person behind the user > identifier, you should introduce a second factor in your authorization flow. > > Jasha > > >> >> Regards, >> >> Jude. >> >> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319 >> >> (515) 281-3378 | ashwanth.tiburt...@iwd.iowa.gov >> >> >> >> *From:* Stein Welberg [mailto:st...@onegini.com] >> *Sent:* Wednesday, April 22, 2015 12:39 AM >> *To:* user@oltu.apache.org >> *Cc:* Jasha Joachimsthal >> *Subject:* Re: Force re-authentication >> >> >> >> Hi Jude, >> >> >> >> Oltu does not support such a scenario because the scenario you are >> describing is not part of the OAuth specification nor does it have anything >> to do with it :-). There are specifications to revoke an access token [1], >> as you already found out google allows you to do this. However, it does not >> enforce the scenario you are looking for. I’m afraid you have to look for >> something else because this is not standardised and therefore all providers >> have chosen a different path. >> >> >> >> I’m afraid you are on your own on this. >> >> >> >> [1] https://tools.ietf.org/html/rfc7009 >> >> >> >> Met vriendelijke groet / Kind regards, >> >> >> >> Stein Welberg | CTO >> >> >> >> >> >> >> >> >> M: +31639110574 | st...@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden >> | www.onegini.com >> >> >> >> >> >> >> >> On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] < >> ashwanth.tiburt...@iwd.iowa.gov> wrote: >> >> >> >> Hi all, >> >> >> >> I m using Apache Oltu as OAuth library to authenticate users against >> Google, Yahoo and Microsoft. It has worked great. Within my application I >> need to ask the user to re-authenticate themselves before accessing certain >> pages. This is what I have found so far on this topic. >> >> >> >> Google – lets you revoke access token using “ >> https://accounts.google.com/o/oauth2/revoke?token=”. But this doesn’t >> force re-authentication by password entry but displays only the consent >> screen again. >> >> Yahoo – has no support for this. We have to log the user out using >> something like https://login.yahoo.com/config/login?logout=1. >> >> Microsoft – has url “ >> https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL” >> to support this behavior. I am in the process of testing it. >> >> >> >> Does Oltu have any apis related to this functionality? Has any open tried >> to implement this? Any help is much appreciated. Thank you. >> >> >> >> Regards, >> >> Jude. >> >> >> > >
