Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2014-03-04

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:49 MegaMatt joined #openam
01:09 Scient the documentation for writing custom auth modules seems just horrible, especially regarding the various XML files :(
01:09 aldaris it just sets the bar for engineering mindset :)
01:10 Scient so the mindset should be to write horrible code? :D
01:11 aldaris nope, just requires a bit of a reverse engineering :p
01:11 Scient it sure does
01:11 Scient especially the callbacks part
01:11 aldaris most of OpenAM requires that
01:11 aldaris what about those
01:11 Scient i mean that actually entails quite a bit of logic, but the docs dont really explain the whole concept and details
01:11 Scient so you kind of have to go based on the existing examples
01:12 Scient which still doesnt really give you a broad overview, you just read them and assume how something might work :)
01:12 aldaris right, but there isn't too many kind of callbacks to work with
01:13 Scient i need to build several forms and the way go about that is not obvious at all at first
01:13 Scient its the opposite :P
01:14 aldaris if you need complex logic, then don't write an auth module
01:14 aldaris been there done that
01:14 aldaris and it doesn't worth it
01:15 Scient what are the alternatives?
01:15 aldaris actually, not complex logic
01:15 aldaris but complex multiscreen use-cases
01:15 aldaris writing the statemachine isn't fun
01:15 aldaris is your auth module really just doing only authentication?
01:15 aldaris sounds like you want to use it for something else
01:15 Scient no, its actually doing authorization
01:16 Scient via an external application
01:16 Scient i can do this by either having forms on OpenAM and doing the integration via REST API-s
01:16 aldaris so where is this complex user interaction coming from?
01:16 Scient or send the user off to the external application and then redirect them back later on
01:17 Scient the latter has a potential issue where i could lose the SAML context while redirecting back and forth
01:17 Scient and the process itself is basically KBA stuff, it could be multiple screens of forms
06:34 rghose joined #openam
07:43 pfreixes joined #openam
08:07 asyd morning folks
08:20 balo morning
08:20 aldaris joined #openam
09:05 hos002 joined #openam
09:43 aldaris joined #openam
10:13 aldaris joined #openam
10:37 aldaris joined #openam
10:37 rghose getting access denied response when using a OAuth Agent for my realm. Resulting in a redirect loop. even though the credentials are correct.
10:57 aldaris joined #openam
11:34 rghose not getting a code back
11:34 rghose when trying to authenticate with an OAuth2 agent
11:34 rghose resulting in infinite redirection loop!
11:34 rghose can anyone help regarding this?
11:49 aldaris joined #openam
11:49 MegaMatt joined #openam
11:55 MegaMatt I think a detailed explanation of callbacks, and how we use them, and what they are, and blah blah.. might be a good future blog post (if you haven't already made a detailed post on them)
11:57 aldaris didn't do that just yet, though I had a few posts about authentication modules
11:57 aldaris yesterday I've started to draft up a basic article about saml
11:57 MegaMatt Awesome ;)
11:59 MegaMatt rghose posted that looping issue on the alias, .. I haven't seen if people have replied yet, but I'm pretty sure you don't want to set cookies on IP addresses
11:59 rghose @MegaMatt: yeah, I got that part. I am using the same domain name where openam is hosted in this case I am still getting a redirect loop
12:00 MegaMatt Interesting. I would have guessed it's because they are different domains (one domain name, one ip address)
12:01 rghose /openam/UI/Login ->/openam/oauth2/authorize?response_type=code&r​edirect_uri=http%3A%2F%2Fjpvip.internal.directi​.com%3A81%2Fopenam_test%2Fclient_example.php&cl​ient_id=test&nonce=195114effe7acbfb28c5e5eb2761​6cae&state=4b40f567ccb417a4e40521ed6c7fecc3  -> /client_example.php?error=access_denied&erro​r_description=The%20authorization%20server%2​0can%20not%20authorize%20the%20resource%20ow​ner.&state=4b40f567ccb417a4e40521ed6c7fecc3
12:01 rghose /openam/UI/Login -> /openam/oauth2/authorize -> /client_example.php (with error) <->  /openam/oauth2/authorize
12:01 rghose that is what happens ^^
12:02 aldaris how did you set up the oauth2 provider?
12:03 rghose From the doc, create OAuth provider, then added user-name/password and then the redirect url
12:04 rghose Access Control -> Realm (top level) -> Agents -> OAuth2.0 Client
12:04 aldaris using the wizard on common tasks?
12:04 rghose yes
12:04 rghose After using wizard
12:04 rghose I added the agents to the realm manually also
12:05 rghose Configure OAuth2 from Common Task -> Create followed by Access Control -> Realm (top level) -> Agents -> OAuth2.0 Client
12:06 aldaris so under policies you see some defined?
12:06 rghose Yes, OAuth2ProviderPolicy
12:07 rghose I never opened this page however
12:07 aldaris right
12:07 aldaris there is two problem _obviously_
12:07 aldaris AM throws the error
12:07 rghose ok, which is?
12:07 aldaris and the client is incorrectly handling it
12:07 rghose yeah. I suppose
12:08 rghose the client should give an error page. but that is a different issue
12:08 rghose wonder why the error gets thrown when in fact the credentials are correct and also when I am logged in
12:08 rghose correction, when an user is logged in
12:09 rghose the version I use just for info: OpenAM 11.0.0 (2013-November-08 10:40)
12:10 MegaMatt Are you sure the client_example.php is doing what it should?
12:12 rghose I am using this: https://github.com/jumbojett/OpenID-Connect-PHP seems to work with other providers
12:22 rghose well, the first request seems to be behaving correctly. It sends parameters to openam and openam redirects.
12:58 aldaris joined #openam
13:05 aldaris rghose did you configure openid as default scope?
13:13 MegaMatt joined #openam
13:20 rghose @aldaris: how to do that?
13:25 rghose (did you configure openid as default scope?)
14:10 aldaris joined #openam
14:10 rghose @aldaris: you asked this: did you configure openid as default scope? Now how does one do that please?
14:11 aldaris see the oauth2 client profile settings
14:11 aldaris but frankly I'm not even sure if that makes any difference
14:12 aldaris from what I can see you are just attempting to obtain an authorization code..
14:12 rghose I suppose. so is the library doing something it should not?
14:12 rghose by library I mean the php client I am using
14:12 aldaris I don't know, I'm not an OAuth2/IDC guru
14:31 kala_ IDC guru?
14:31 kala_ openid connect?
14:32 aldaris yeah, I meant IDC== OpenID Connect, lazy typing
14:35 aldaris joined #openam
14:48 rghose okay, so I used a different client and redirect loop was solved. however, the authentication keeps failing.
14:51 rghose must be some configuration issue I figure with OAuth2 agent
15:00 rghose okay, so my client is requesting for scopes "openid email profile", so is it because of email this error is thrown?
15:08 rghose okay I confirm this is a issue with the lb setup!
15:09 rghose it works fine when I do not use the LB
15:54 rghose joined #openam
16:07 aldaris joined #openam
17:51 aldaris joined #openam
17:52 sayakb_ joined #openam
18:13 aldaris joined #openam
20:13 jjpp joined #openam
20:52 pfreixes joined #openam
21:03 aldaris joined #openam
22:02 pfreixes joined #openam
22:51 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary