3

I am writing a REST API to be consumed by our internal applications. I need to login and logout users of the identity server using code grant via http requests

enter image description here presentation

I need to know how to call the following endpoints:

  • /authorize (invoked from server-side)
  • /accesstoken (invoked from server-side)
  • /login
  • /logout

CASE:

Our company has many applications. I want one point of authentication which will happen in their company-x account like how you only need to login to atlassian account to access jira and confluence cloud. The REST API I'm working is for our front-end developers (as of now).

enter image description here presentation

I cannot simply let the user login to WSO2 IS since they only need a module where they can manage their company-x profile and other basic stuffs. By this I think I have 2 options:

  1. Customize WSO2 Identity Server UI and permissions. But the problem is, I still need an endpoint to get that id_token. I am also not sure if this is the right approach.
  2. Know how to call /authorize, /accesstoken, /login and /logout endpoint and write my own minimal required UI and provide an endpoint that will respond the id_token
Community
  • 1
  • 1
letthefireflieslive
  • 11,493
  • 11
  • 37
  • 61

2 Answers2

1

If you use code grant type, there will be a browser redirection from /authorize to /login. I don't think you can handle that by a REST call. (You might be able to handle that by calling url in location header of each 302 response. But I don't think it's a nice way to do this.) If you want to develop a REST API, I think password grant type will be more suitable.

Bee
  • 12,251
  • 11
  • 46
  • 73
  • yeah right i am also puzzled by the redirection. my only issue with password grant is the access_token and id_token will be exposed client-side. What are my option to address this security issue? like use API key instead? BTW I intend to use id_token like session_id in the client side. Thanks a lot ^^ – letthefireflieslive Nov 15 '16 at 17:16
  • Aren't your clients browser based? Can't they handle browser redirection? For session management information, see https://docs.wso2.com/display/IS520/Session+Management+with+Playground – Bee Nov 15 '16 at 17:58
  • Btw, your concern about password grant type is a bit confusing. Even in code grant type, an access token is received by the client app at the end, right? The problem with password grant type is that user has to give their credentials to the client app. But AFAIK that's the only way to handle if client app can't handle browser redirection. – Bee Nov 15 '16 at 18:14
  • I added details in my question. The clients(1st party applications) are server-based. I mean in code grant access_token is exposed only in server-side while it is exposed in client-side for pasword grant. My plan is to only give id_token to client-side (if it works like session ID so I can determine who is making the request) – letthefireflieslive Nov 16 '16 at 00:47
  • 1
    how about having a basic login page on front end and use request path authentication. Basically what this means is instead of redirecting the user to IS login page. – farasath Nov 16 '16 at 08:40
  • I think this is the answer (post it as answer for other's sakeI will try this tomorrow. Kudos for WSO2 IS Team! you are all very helpful! I hope [this](http://stackoverflow.com/questions/40540393/getting-only-sub-in-userinfoendpoint) will be fix soon. Thanks! – letthefireflieslive Nov 16 '16 at 12:30
  • 1
    @Bhathiya sorry if it's just now that make sense for me why you suggested `password` grant for this case since my RP are 1st-party applications and authentication are centralized to IS (SSO). But @farasath answer is still more secured since you know that the access_token/id_token will be in the expected url (callback) right? – letthefireflieslive Nov 17 '16 at 07:15
1

How about having a basic login page on front-end and use request path authenticator to get the authorization code/id_token.

Basically what this means is instead of redirecting the user to IS login page you can extract the username and password from the basic login page you created and send the authorization grant request along with the credentials.

so your authorization code request will be:

https://localhost:9443/oauth2/authorize?response_type=code&client_id=JqB4NGZLMC6L3n4jz094FMls2Joa&redirect_uri=https://localhost/callback&scope=openid&sectoken=<sec_token>

sec_token = base64encode(username:password)

You need to add basic-auth request path authenticator in your Service Provider configurations. This request should return you an authorization code. If you want an id_token simply use the implicit flow with request path authentication.

letthefireflieslive
  • 11,493
  • 11
  • 37
  • 61
farasath
  • 2,961
  • 2
  • 15
  • 16
  • I'm quite confused where exactly do i find the `code/id_token`. is it passed to the `redirect_uri` (how? requestbody or header)? or as a form of response in the request sender? I tried to put `http://localhost:8080/playground2/oauth2client` to `redirect_uri` in postman and the respond is the html form. – letthefireflieslive Nov 17 '16 at 04:09
  • 1
    the id token is passed after as a query param in the callback url eg : https://localhost/callback?id_token= – farasath Nov 17 '16 at 06:38
  • Clearer now what @bhathiya meant by handling redirect from REST call (because i send request via postman). – letthefireflieslive Nov 17 '16 at 06:47