cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: FEDIZ with external authentication
Date Wed, 08 Oct 2014 15:24:21 GMT
Are you actually referring to Openid-Connect ? Fediz might natively 
implement it in the future...

Sergey
On 08/10/14 15:36, Rajeev Parekh wrote:
> Oli
>
> Thank you so much, I will look at the ticket, this should help
>
> On 10/8/2014 9:12 AM, Oliver Wulff wrote:
>> If you use OAuth for authentication purposes only, it should work with
>> 1.2 which is not released yet. A JIRA ticket is also open:
>> https://issues.apache.org/jira/browse/FEDIZ-72
>>
>> All you have to do is implement the interface
>> TrustedIdpProtocolHandler as described in the above Jira.
>>
>> You must implement the method mapSignInRequest to create the request
>> to the OAuth Server and the method mapSignInResponse to map the
>> response to a security token.
>>
>> HTH
>>
>> Thanks
>> Oli
>>
>> ________________________________________
>> From: Sergey Beryozkin [sberyozkin@gmail.com]
>> Sent: 07 October 2014 12:16
>> To: users@cxf.apache.org
>> Subject: Re: FEDIZ with external authentication
>>
>> Hi
>>
>> On 06/10/14 18:51, Rajeev Parekh wrote:
>>> I would like to use FEDIZ WS-federation in s setup where Authentication
>>> is delegated to an external OAuth provider.
>>> Per my understanding, this is more related to configuration with Spring
>>> Security than core FEDIZ, but thought it best to ask this forum for
>>> advise on how to do it right. My use case is as follows:
>>>
>>> 1. User accesses RP
>>> 2. RP redirects to IDP with signin request
>>> *3*. IDP should redirect to OAuth provider with grant type = code
>>> 4. OAuth provider to redirect to Authorization server
>>> 5. On sucesfull AuthN, OAuth provider to return with code to IDP
>>> 6. IDP can exchange code for access token and establish identity
>>> 7. Normal STS flows continue
>>>
>> I'm not sure this can work at all. AFAIK this is not how OAuth2
>> Authorization Service (AS) operates. It returns the code if the user has
>> authorized some client application for the latter to exchange for a new
>> access token.
>> In your flow above it reads as if the user would authorize IDP itself to
>> the OAuth2 AS.
>>
>> Can you clarify why do you it should work ?
>>
>> Thanks, Sergey
>>
>>> I have read some spring security documentation that suggests the
>>> approach of extending the AbstractPreAuthenticatedProcessingFilter and
>>> implementing AuthenticationUserDetailsService interface.
>>> AbstractPreAuthenticatedProcessingFilter assumes that the user has been
>>> authenticated via some other means and the identity can be established
>>> via some http header etc.
>>> My problem is that, I dont know who is responsible for the initial
>>> redirection to the external OAuth server, Should I just implement a
>>> Filter "customOAuthSessionCheckFilter" that does this redirection and
>>> add it to the SpringSecurityFilterChain?
>>> Some thing like:
>>>
>>>
>>>
>>>       <filter>
>>> <filter-name>springSecurityFilterChain</filter-name>
>>> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
>>>
>>>
>>>       </filter>
>>>
>>>
>>>       <filter-mapping>
>>> <filter-name>springSecurityFilterChain</filter-name>
>>>           <url-pattern>/*</url-pattern>
>>>       </filter-mapping>
>>>
>>>
>>>       <bean id="springSecurityFilterChain"
>>> class="org.springframework.security.util.FilterChainProxy">
>>>           <sec:filter-chain-map path-type="ant">
>>>               <sec:filter-chain pattern="/css/**" filters="none"/>
>>>               <sec:filter-chain pattern="/js/**" filters="none"/>
>>>               <sec:filter-chain pattern="/img/**" filters="none"/>
>>>               <sec:filter-chain pattern="/**"
>>> filters="customOAuthSessionCheckFilter,
>>> preAuthenticatedProcessingFilter"/>
>>>           </sec:filter-chain-map>
>>>       </bean>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>


Mime
View raw message