Skip to main content

Posts

OAuth - Playing Ping Pong for Authorization

You probably would have heard the word OAuth more than a few times. Ever wondered what that is? do we use that at all?. Guess what we make use of OAuth almost everyday.I got the opportunity to learn about OAuth during my time at WSO2 Identity Server team. Here's the first step of conquering OAuth :) What Exactly is OAuth? Let me start with OAuth,  OAuth solves the problem of allowing third party entities( eg: applications) to access a resource owner's protected resources without actually giving away your valuable credentials like passwords.  Let's think of it this way. You have a facebook account(Assuming you have one :P) which is your protected resource and you are the resource owner . Now you get a little high and decide to try out one of these fancy Facebook apps that finds your soul mate. The app now becomes the third party application which requires access to read out your friend list from your profile which is the protected resource. Suppose you don't hav
Recent posts

OAuth2 Authorization Code flow without client secret using WSO2 Identity Server

Quoting from  https://aaronparecki.com/oauth-2-simplified/ Single-page apps (or browser-based apps) run entirely in the browser after loading the source code from a web page. Since the entire source code is available to the browser, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case. The flow is exactly the same as the authorization code flow above, but at the last step, the authorization code is exchanged for an access token without using the client secret .  Note: Previously, it was recommended that browser-based apps use the "Implicit" flow, which returns an access token immediately and does not have a token exchange step. In the time since the spec was originally written, the industry best practice has changed to recommend that the authorization code flow be used without the client secret. This provides more opportunities to create a secure flow, such as using the state parameter. References:  Redhat ,  Deutsch

Configuring WSO2 Identity Server to return Attribute Profile claims in SAML SSO Response

Configuring SAML SSO for an external Service Provider with WSO2 Identity Server is probably one of the most common use cases I heard from my day 1 at WSO2. Setting up is quite easy, Just follow the docs here . Now let me start from there, what if someone wants to retrieve certain claims of a user in the SAML Response. How easy is it to configure that? Well, Let me show you :) Step 1 Assuming that you have setup a Service Provider in Identity Server by following the docs, you should have a configuration like the one below, The most important part of this config is the " Enable Attribute Profile " tick, that allows you to get a set of pre-configured claims in the SAML response. Be sure to have it ticked. Step 2 Now your are done with Step 1, In Step 2 you simply configure the claims that you want to be returned in the SAML response. To do this, Go to the " Claim Configuration " section of the service provider, Now click on " Add Claim