sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Munteanu <romb...@apache.org>
Subject Re: [Dev][GSOC2018] Project Idea : Provide an OpenID Connect Authentication Handler
Date Wed, 28 Mar 2018 15:15:08 GMT
Hi Hasini,

The proposal looks good to me, thanks for preparing it!

I've added some specific comments below where I think we should clarify
and/or expand some items/

On Mon, 2018-03-26 at 03:35 +0530, Hasini Witharana wrote:
> Hi all,
> 
> The below [1] is the proposal for the project "OpenID Connect
> authentication handler for Apache Sling". Please review and give your
> comments.
> 
> [1] -
> https://docs.google.com/document/d/1ki_mv_ngtMFsP2cqZkVfZfAYLAYle6M5S
> rs0WsgHXEs/edit?usp=sharing

I took a look at the proposal and my comments are:

- it would be good to include testing as an ongoing effort, rather than
a phase. We very much value automated tests running as part of the
build process so please factory that into your proposal.
- each milestone should have a deliverable, as in 'we can now recognize
authentication data from an external system' or 'we can now create
users based on the authentication data received from an external
system'
- implementing the auth flow is only part of the project, as Apache
Sling has its user backend stored in Oak, so users would also need to
be created, see for instance [2]

Those would be my comments, if anyone else would like to contribute
please do :-)

Robert


[2]: https://github.com/apache/sling-org-apache-sling-auth-xing-oauth/b
lob/164010f83ac77fb76d707e1bc6b7e22382e8247d/src/main/java/org/apache/s
ling/auth/xing/oauth/impl/DefaultXingOauthUserManager.java#L116-L141

> 
> On Fri, Mar 23, 2018 at 10:38 PM, Hasini Witharana <hasinidilanka@gma
> il.com>
> wrote:
> 
> > Hi Robert,
> > 
> > what would we lose in terms of functionality if we don't implement
> > > the Hybrid flow?
> > 
> > 
> > In the Hybrid flow, we will be able to issue tokens separately for
> > front
> > channel and back channel.
> > 
> > How much additional effort is it to implement Hybrid flow?
> > 
> > 
> > Hybrid flow is the combination of the two flows. And for the Hybrid
> > flow
> > there is a new variable as "c_Hash". To implement the Hybrid flow
> > we need
> > to combine the flows and implement "c_hash" value.
> > 
> > Can you please direct me to Apache Sling Repository for OAuth2.0
> > implementation?
> > 
> > Thank you.
> > 
> > On Fri, Mar 23, 2018 at 4:03 PM, Robert Munteanu <rombert@apache.or
> > g>
> > wrote:
> > 
> > > Hi Hasini,
> > > 
> > > Thank you for the idea submission and for the description. Some
> > > more
> > > comments inline.
> > > 
> > > On Thu, 2018-03-22 at 18:21 +0530, Hasini Witharana wrote:
> > > > Hi all,
> > > > 
> > > > I am an undergraduate from University of Moratuwa, Computer
> > > > Science
> > > > and
> > > > Engineering department. I am interested in the $subject project
> > > > idea.
> > > > I
> > > > have worked with a OpenID Connect certification project
> > > > previously.
> > > > 
> > > > OpenID Connect(OIDC) is an authentication protocol based on
> > > > OAuth2.0
> > > > family
> > > > of specifications. There are three main specifications[1][2][3]
> > > > written for
> > > > OIDC. Since the project goal is to create an OIDC
> > > > authentication
> > > > handler,
> > > > we need to focus on [1] specification.
> > > > 
> > > > There are three main flows for the authentication process given
> > > > in
> > > > the
> > > > specification[1].
> > > > 
> > > >    1. *Authentication code flow* *(Basic)* - This flow will
> > > > first
> > > > issue a
> > > >    code in authorization endpoint and that code can be used to
> > > > issue
> > > > an access
> > > >    token and id_token from token endpoint. In this flow client
> > > > secret
> > > > is
> > > >    shared to recognize the relying party. So this flow can be
> > > > used
> > > > for
> > > >    applications that have a secure sever side applications.
> > > >    2. *Implicit flow* - This flow will not issue a code but it
> > > > will
> > > > issue
> > > >    an access token and id_token from the authorization
> > > > endpoint. In
> > > > this flow
> > > >    client secret is not shared so this flow is preferred for
> > > > single
> > > > web page
> > > >    applications.
> > > >    3. *Hybrid flow* - This is combination of the previous two
> > > > flows.
> > > > 
> > > > Basic and Implicit flows must be supported by an OIDC
> > > > Authentication
> > > > Handler. Hybrid flow is not mandatory as per the
> > > > specification[1].
> > > > The
> > > > blog[4] written by me on OIDC Basics will help to understand
> > > > the
> > > > basics
> > > > without reading the whole specification.
> > > > 
> > > > Should we try to implement all three flows or the first two
> > > > flows(Basic and
> > > > Implicit) ?
> > > 
> > > My first thought would be to make sure we don't have too large a
> > > scope
> > > with a GSoC idea, to make sure that it can be completed with good
> > > quality in the allocated time.
> > > 
> > > So my questions would be
> > > 
> > > - what would we lose in terms of functionality if we don't
> > > implement
> > > the Hybrid flow?
> > > - how much additional effort is it to implement Hybrid flow?
> > > 
> > > Thanks,
> > > 
> > > Robert
> > > 
> > > 
> > > > 
> > > > [1] - http://openid.net/specs/openid-connect-core-1_0.html
> > > > 
> > > > [2] - https://openid.net/specs/openid-connect-discovery-1_0.htm
> > > > l
> > > > 
> > > > [3] - http://openid.net/specs/openid-connect-registration-1_0.h
> > > > tml
> > > > 
> > > > [4] - https://medium.com/@hasiniwitharana/openid-connect-532465
> > > > 308090
> > > > <http://openid.net/specs/openid-connect-registration-1_0.html>
> > > > Thank you.
> > > > 
> > > 
> > > 
> > 
> > 
> > --
> > *Hasini Witharana*
> > Undergraduate | Department of Computer Science and Engineering
> > University of Moratuwa
> > Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/>
> > 
> 
> 
> 


Mime
View raw message