-
1. Re: Picketlink public token restfull web service
maxsap Mar 30, 2014 11:30 AM (in response to maxsap)After 8 days and not a single answer for any of the questions?
-
2. Re: Picketlink public token restfull web service
pcraveiro Mar 31, 2014 8:54 AM (in response to maxsap)Hi Maximos,
I think we have a quickstart [1] that can be useful for you.
Basically, this example is about an authentication endpoint providing both username/password and token based authentication. However, the Identity bean is session-scoped, what means you'll have a session for each user. We are currently discussing [2] a stateless alternative to the current Identity bean implementation. But for now, if you want a stateless authentication you should use the IdentityManager bean directly to authenticate your users.
Unfortunately, we don't have any example application about how to use the IdentityManager bean directly to provide authentication. But we're covering some important bits of the Credential API in our documentation [3]. There you can find how to use the PicketLink IDM directly to update and validate credentials, as well how to provide your own credential types.
Regarding the token, maybe JWT [4] can be an option.
[2] [PLINK-400] Stateless behavior to the Identity bean - JBoss Issue Tracker
[3] PicketLink Reference Documentation
[4] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token
Cheers.
Pedro Igor -
3. Re: Picketlink public token restfull web service
maxsap Apr 2, 2014 9:24 AM (in response to pcraveiro)Hello Pedro,
Thank you for your reply, I have seen the example and I am using it, in combination with an AuthenticationSelector so I am examining the http request and if a token is set I am using a different Authenticator to perform the validation.
The problem with the example is that it doesn't really show (at least for a primer as me) how exactly to use the IdentityManager to perform the authorization.
So for example how do I bind the user to both the password and the token?
My current approach is to set the token as an attribute bound to the user and then I need the email and the token in order to authorize the user, is this a valid approach because it feels redundant?
Also another thing in question is, even if I use directly the IdentityManager isn't a new session created on every request?
best,
Maximos.
-
4. Re: Re: Picketlink public token restfull web service
pcraveiro Apr 2, 2014 11:31 AM (in response to maxsap)Hi Maximos,
First of all, we had some progress with PLINK-400. Which means you'll be able to use a stateless version of the Identity bean. This RFE is targeted to 2.6.0.CR2, which will be released soon. But here are some answers:
So for example how do I bind the user to both the password and the token?
PicketLink IDM allows you to bind different credentials types for a single user. To do that you just need to update the credentials for a specific user using these different types. Here is an example about how to update both password and a custom token.
Token token = new Token("123"); identityManager.updateCredential(user, token); // update using your custom token credential type Password password = new Password("maximos"); identityManager.updateCredential(user, password); // update using the built-in password credential type
Please, take a look at this code [2]. It is a good example about how to extend PicketLink IDM to support a custom credential type. This code is basically testing the configuration for custom credential types and handlers. For more details about how to store your custom credential types, please take a look at our documentation about the Credential Storage Interface. You may also look at the Two-Factor Authentication Quickstart [1]. There you are able to authenticate using both your username/password or TOTP.
My current approach is to set the token as an attribute bound to the user and then I need the email and the token in order to authorize the user, is this a valid approach because it feels redundant?
I would suggest you to extend PicketLink IDM to represent your token using a specific type. So you don't need a custom Authenticator to support your token.
Also another thing in question is, even if I use directly the IdentityManager isn't a new session created on every request?
No, the Identity Manager is request scoped.
In a nutshell, I think PLINK-400 will make your life easier. I'll push some changes today to PicketLink. I'm very interested in your use case, so fell free to join us on freenode, #picketlink channel. There we can work together to get your use case working and write a documentation for others with similar requirements. What do you say ?
Cheers.
Pedro Igor -
5. Re: Picketlink public token restfull web service
pcraveiro Apr 2, 2014 12:59 PM (in response to maxsap)1 of 1 people found this helpfulHey Maximos,
Here is an example about how to inject a stateless version of the Identity bean.
If you want to try it out, you can clone and build upstream/master.
Thanks.
Pedro Igor
-
6. Re: Re: Picketlink public token restfull web service
maxsap Apr 3, 2014 4:06 AM (in response to pcraveiro)Hello Pedro,
I say that in the past I had really bad experience with JBoss support, you just changed that ,
Of-course I am interested, I was planning also to release some github for anyone that tried to accomplish the same functionality, so the face that you are willing also to have some documentation about that is really cool.
So I guess I will see you on #picketlink
Cheers,
Maximos.