gnulib
commented
8 years ago This is not going to be a rest client, because actual authentication has to be done by the user's browser, outside the scope of the client application.
Hence, this library would need to be a service bean with http listener/handler method for IDP service response redirection. Flow would be something like this:
- initiate authentication by creating a session naunce
for tracking purpose? Why?
(Any tracking may not be needed, we just restart when user returns back with authorization code) - construct an authorization url with IDP host and required parameters (includes a redirect url back to client app)
- redirect the user browser to IDP service using the authorization url
- let user complete authentication and authorization at IDP service
- IDP service redirects user back to the client app, based on redirect parameter in original authorization url
- client app has a listener/handler at the redirect url
- listener/handler uses response from the IDP service (response has either token, or auth code, based on grant type)
- for auth code, listener/handler initiates a new rest client request with IDP service to get the token based on on auth code provided
provide a rest client to if-idp service for getting openid connect id token, along with user approval for profile access and any other scopes/events needed by the client app. Client library should also populate the spring security context with authentication details, so that rest of the security framework can work seamlessly.