Open chriskapp opened 5 years ago
andy3469
commented
1 week ago Hello,
Any news on this ? I'm trying to use a Oauth2 Authorization Code flow from postman and I don't know which Auth URL I should use.
Or if it's possible to change the client ID and secret so that I could input the one I have from my keycloak instance.
chriskapp
commented
1 week ago Hi @andy3469 we moved away from the idea to to build a an Authorization app, instead we recommend to use an existing IdP like Keycloak or Azure etc. you can configure suche an identity provider at the backend under System / Identity.
andy3469
commented
1 week ago Hello @chriskapp I'm trying to configure the identity provider but I get a Could not request user information. I've correctly put all the Uri's but I don't know why it's not working as intended.
Also, after it's correctly configured. How can let Fusio use the identity provider in a oauth2 authorization code flow ?
chriskapp
commented
1 week ago @andy3469 so in the end you would add a button to your app which redirects the user to your IdP s. https://docs.fusio-project.org/docs/use_cases/spa_backend/social_login
The user authenticates at the IdP and returns to Fusio, Fusio then creates the user and redirects the user back to your app. Then you get an access token which you can use to access the Fusio API.
andy3469
commented
1 week ago @chriskapp thank you the IdP is working fine now.
Edit:
If I use the consumer/identity/1/redirect as the auth endpoint, it's working alone on a browser or with the implicit flow of postman but not with the authorization code flow of postman.
{
"error": "invalid_client",
"error_description": "Unknown credentials"
}I'm using the authorization/token endpoint for the token. It's the only difference between the implicit and authorization code flows.
Currently every app uses the OAuth2 client_credentials (either consumer or backend) flow to login. The consumer app currently can only handle the authorization_code flow. Because of this the consumer app needs to run in HTML5 mode without hash-tag router since some OAuth2 clients cant redirect to a hash-tag route (this means the app cant be used out of the box since you need to adjust the base url). We could build a new authorization app based on PHP (Slim) which handles all authorization/login/register. In theory we could then remove the login from every app and simply start the authorization_code flow, thus we could remove the client_credentials endpoints for consumer and backend and have only one OAuth2 endpoint.
Also other developers then dont need to build a login/registration system they can simply start the same authorization_code flow by redirecting the user to the app. Also every app could then specify the needed scopes. This would then mean instead of a Login mask we would have a button saying i.e. "Login with Fusio". It should be possible to customize the templates since most users probably want to use a custom branding.