oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Berger <wber...@leadoutcome.com>
Subject UNSUBSCRIBE
Date Wed, 22 Apr 2015 17:34:48 GMT
Please unsubscribe me from this group or tell me how.

Thanks Will

Will Berger
(p) 770.294.5329
wberger@leadoutcome.com
http://www.leadoutcome.com

 <http://www.leadoutcome.com> <https://www.facebook.com/LeadOutcome>
<http://www.linkedin.com/pub/will-berger/1/36b/21>
<https://twitter.com/LeadOutcome>

On Wed, Apr 22, 2015 at 1:31 PM, Jasha Joachimsthal <jasha@apache.org>
wrote:

>
>
>
> On 22 April 2015 at 18:54, Tiburtius, Ashwanth [IWD] <
> Ashwanth.Tiburtius@iwd.iowa.gov> wrote:
>
>> Hi Stein,
>>
>>
>>
>> Really appreciate your response. It was quite precise.
>>
>>
>>
>> I have a quick question, there are many web applications that lets you
>> use gmail or facebook login to authenticate yourself. If OAuth doesn’t
>> support re-authentication, how does the applications ensure that it is the
>> same user that it is interacting with. Could be an issue with privacy or
>> sensitive data. May be OAuth is not meant to solve this problem yet. I am
>> just trying to see what is the solution. Some of my colleagues have used
>> OpenID but Google has deprecated it, so I am not sure if that is the right
>> approach either. A little perplexed and frustrated since I had been working
>> on this for a while now. L
>>
>
> What OAuth solves is that the OAuth client can get access to the user's
> resources without storing the real credentials. It's up to the OAuth
> provider how the user authenticates. This can be done via username and
> password, but other methods are also possible like the Windows domain
> login.
> Social OAuth providers like Google and Facebook have long lasting sessions
> that are also used when the user is going to authenticate from an OAuth
> client. As consumer I wouldn't appreciate it if I'm logged out from Gmail
> because some other app that uses Google's OAuth wants to be sure that I am
> really me.
>
> If you want to protect sensitive or privacy data in your client and you
> want to be more sure that you interact with the person behind the user
> identifier, you should introduce a second factor in your authorization flow.
>
> Jasha
>
>
>>
>> Regards,
>>
>> Jude.
>>
>> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA  50319
>>
>> (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov
>>
>>
>>
>> *From:* Stein Welberg [mailto:stein@onegini.com]
>> *Sent:* Wednesday, April 22, 2015 12:39 AM
>> *To:* user@oltu.apache.org
>> *Cc:* Jasha Joachimsthal
>> *Subject:* Re: Force re-authentication
>>
>>
>>
>> Hi Jude,
>>
>>
>>
>> Oltu does not support such a scenario because the scenario you are
>> describing is not part of the OAuth specification nor does it have anything
>> to do with it :-). There are specifications to revoke an access token [1],
>> as you already found out google allows you to do this. However, it does not
>> enforce the scenario you are looking for. I’m afraid you have to look for
>> something else because this is not standardised and therefore all providers
>> have chosen a different path.
>>
>>
>>
>> I’m afraid you are on your own on this.
>>
>>
>>
>> [1] https://tools.ietf.org/html/rfc7009
>>
>>
>>
>> Met vriendelijke groet / Kind regards,
>>
>>
>>
>> Stein Welberg | CTO
>>
>>
>>
>>
>>
>>
>>
>>
>> M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden
>> | www.onegini.com
>>
>>
>>
>>
>>
>>
>>
>> On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <
>> Ashwanth.Tiburtius@iwd.iowa.gov> wrote:
>>
>>
>>
>> Hi all,
>>
>>
>>
>> I m using Apache Oltu as OAuth library to authenticate users against
>> Google, Yahoo and Microsoft. It has worked great. Within my application I
>> need to ask the user to re-authenticate themselves before accessing certain
>> pages. This is what I have found so far on this topic.
>>
>>
>>
>> Google – lets you revoke access token using “
>> https://accounts.google.com/o/oauth2/revoke?token=”. But this doesn’t
>> force re-authentication by password entry but displays only the consent
>> screen again.
>>
>> Yahoo – has no support for this. We have to log the user out using
>> something like https://login.yahoo.com/config/login?logout=1.
>>
>> Microsoft – has url “
>> https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL”
>> to support this behavior. I am in the process of testing it.
>>
>>
>>
>> Does Oltu have any apis related to this functionality? Has any open tried
>> to implement this? Any help is much appreciated. Thank you.
>>
>>
>>
>> Regards,
>>
>> Jude.
>>
>>
>>
>
>

Mime
View raw message