Idp server WP5

[aoncorici]

Dear all, is this the Identity provider server that we should use in WP5. Can you provide link on how to use it with the runtime components, e.g. an identity hyperty (there used to be an identity hyperty in the WP2/WP3 design).

[jmcrom]

This IdP provides its own IdP-proxy to the runtime identity module.

@Ricardo-Chaves could you assist into integrating applications?

[Ricardo-Chaves]

@jmcrom as you said the IdP-proxy is provide by the IdP. As a temporary solution we are considering the use of a ID protostub (for Google and Microsoft). The solution with the IdP-proxy (provided by the IdP) is being studied by @KCorre.

@aoncorici what do you need in terms of Identity usage at the runtime? We'll assist in the integration/usage of identities.

[aoncorici]

thanks, can you please take a look on the D5.2 hotel usecase. We need to be able to generate authorization tokens from the server hyperty, assert the token in the communication to the server hyperty, server hyperty to extract and validate the token.

[Ricardo-Chaves]

@aoncorici we are dealing with the IdM at the runtime, not the server side, but it should be similar. I do not know if their are any restriction on the server side regarding the use of idP-Proxies or how to deploy them if their is no browser (I'm assuming you run the hyperty and the code outside the browser).

@KCorre : can you help on this, i.e. will your IdP-Proxy work OK outside the browser? The sharing/passing of the cookie/token should not be a issue in this case.

@aoncorici : We made JS code for the IdP-Protostubs that allow to interact with the Google and MS IdP servers (supporting OpenID connect). This JS should work outside the runtime and without a browser, we just need to remove the stub being used to connect the Id-Protostubs to the Runtime MsgBus. These will allow you to obtain assertion tokens and verify assertion tokens from these IdP.

Is this what you need?

If possible be present tomorrow in the WG4 meeting.

[KCorre]

Verifying (extract and validate) the token should not require specific implementation as it is already covered by proxy implementation. However, I'm more concerned by the authorization part as it is not something handled by the IDM.

But, from what I understand of the scenario described in 5.2, the Administration APP+Server side admin will authorize a user. The authorization mechanism could easily be done with server side logic, outside of reThink. The only reThink input would be the user identity, validated by the proxy.

To answer your question, you don't need to deploy an identity server except for setting up users. But Simon already covered that with testbed deployment. Current IDM implem with google would also do the trick.