This quick screencast shows the process for JWT issuance, via OpenID Connect, using Google as the IdP. It also shows "refresh" of the token, which isn't really refresh, it's issuance of a brand new JWT token. The token issuer, Google, requires the user to authenticate before issuing the first token. The "refresh" action, issuance of the 2nd token and beyond, can be a no-touch experience from the user's perspective. The user does not need to authenticate to Google again, because the browser maintains a cookie, which refers to the active authentication context stored by Google. This no-touch "refresh" can be repeated until such time as the IdP expires the authentication context.
Views: 2659 Dino Chiesa
This short screencast shows how to install and enable the Drupal Rules module, and how to use it to redirect an anonymous user that tries to visit a restricted page. Rather than getting an unfriendly "Access Denied" message, the user can be invited to register on the site. I produced this quick screencast to show off some capabilities of Apigee Edge, but really it's applicable to any Drupal site.
Views: 2675 Dino Chiesa
This quick screencast shows an API Proxy in Apigee Edge that issues OAuth2.0 tokens with scopes, and then verifies tokens with scopes. There are two "endpoints" in the API Proxy. One to do the token issuance, and one to do the token verification. The flow is like this: 1. User requests token, presents credentials 2. Apigee Edge authenticates the user and returns a set of groups 3. Apigee Edge performs a lookup into the group-to-resource (aka group-to-scope) table. 4. Apigee Edge mints a new token that has the retrieved scopes, eg, the scopes appropriate for the group(s) the user belongs to. 5. Return the token to the user 6. User presents token to Apigee Edge requesting service 7. Apigee Edge verifies the token, and depending on the service requested, verifies that the token has the appropriate scope The relevant OAuth2.0 specification is here: https://tools.ietf.org/html/rfc6749 The code used for this demonstration is available here: https://github.com/DinoChiesa/3mv4d/tree/master/4mv4d-oauth2-pwd-scopes
Views: 6680 Dino Chiesa
This is a quick overview of OpenID Connect, implemented in Apigee Edge. You'll see a quick view of the API Proxy that implements the OIDC Core function. Also there is a standalone Login-and-Consent application. I walk through a couple of different response_type options. Ask questions on community.apigee.com if you have 'em!
Views: 2206 Dino Chiesa
Views: 1013 Dino Chiesa
Discussing the ResponseCache policy in Apigee Edge - how to restrict it so that it applies only for GET and HEAD requests. For more, see https://community.apigee.com/articles/19671/using-the-responsecache-policy-responsibly-or-dont.html
Views: 756 Dino Chiesa
Configuring the OpenID Connect block in the Drupal-based Apigee Edge developer portal.
Views: 493 Dino Chiesa
Demonstration showing integration of Drupal (Apigee Edge Developer portal) allowing sign-in with Azure AD via OpenID Connect. See also: https://www.youtube.com/watch?v=pFvai8kdIlY This is the reference site I relied upon - written by an Azure AD expert - http://www.dushyantgill.com/blog/2015/05/23/developers-guide-to-auth-with-azure-resource-manager-api/ .
Views: 692 Dino Chiesa
Hey Apigee Edge fans, this is a 5-minute screencast that shows how to use the new TreatAsArray option in the XMLToJSON policy, and why you'd want to. source code: https://github.com/DinoChiesa/4MV4D-XML2JSON-Treat-as-Array
Views: 263 Dino Chiesa