oxd icon indicating copy to clipboard operation
oxd copied to clipboard
verified publisher icon GluuFederation

Re-design oxd Connect part to work inside user-agent instead of as backchannel app.

Open yuriyz opened this issue 6 years ago • 4 comments

Historically oxd was created to work as back-channel app via sockets. Later we introduced oxd-https-extension which later merged into oxd making http as main transport and removed sockets. oxd commands were designed as back-channel calls at that time. Now when oxd can work inside user-agent it should take advantage of it.

Remove current (in 5.x, in 4.3 mark as deprecated):

  • /get-authorization-url
  • /get-tokens-by-code
  • /get-logout-uri

Instead we should have

  • /authorize which should redirect to AS Authorization Endpoint and on redirect back depending on type of the flow fetch token (or skip if it's Implicit Flow) and then validate it.
  • /end-session

In this way oxd will have full control of the process and we will not have questions like how oxd should match UserInfo sub with id_token sub? (see https://github.com/GluuFederation/oxd/issues/441#issuecomment-613994437).

cc @nynymike

yuriyz avatar Apr 15 '20 12:04 yuriyz

@nynymike I propose to make it in 4.3. Since it's not major release we can leave /get-authorization-url and /get-tokens-by-code commands for backwards compatibility and completely remove in 5.x release.

yuriyz avatar Apr 15 '20 12:04 yuriyz

@yuriyz , what I understand from /authorize is:

redirect to AS Authorization Endpoint --> user will enter username/password on login screen --> It will redirect back with code, id_token, access_token (depending on the flow) and validate --> call token endpoint (if required) and validate the token.

I am confused if we need directly need to redirect to AS Authorization Endpoint and submit username/password from the screen or we need do it using below java code passing userId and other parameters.

private AuthorizationResponse requestAuthorization(final String userId, final String userSecret, final String redirectUri,
                                                       List<ResponseType> responseTypes, List<String> scopes, String clientId, String nonce) {
        String state = UUID.randomUUID().toString();

        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
        authorizationRequest.setState(state);

        AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
                authorizationEndpoint, authorizationRequest, userId, userSecret);

           return authorizationResponse;
    }

duttarnab avatar Nov 29 '20 16:11 duttarnab

When òxd /authorize endpoint is hit, we should construct authorization url and redirect it directly (perform HTTP redirect). User enters creds on AS side (its not part of oxd). After authn/authz is performed response has to be redirected to oxd (redirect_url should point to oxd) and oxd has to perform all validations.

yuriyz avatar Nov 29 '20 18:11 yuriyz

Goal is to perform front channel calls, not backchannel as we do it now.

yuriyz avatar Nov 29 '20 18:11 yuriyz