Using external OpenID provider in GLUU, using Passport

By: Eduard Kruger user 06 Jun 2022 at 10:12 a.m. CDT

1 Response
Eduard Kruger gravatar
Good day, I am new to GLUU, and have been tasked with looking into the functionality available in GLUU for our organization. We will need to integrate some of our apps with external OpenId providers (not the common ones like Facebook, Google, etc), mostly our local vendors. I'vce been following the tutorial located [here](https://gluu.org/docs/gluu-server/4.0/authn-guide/inbound-oauth-passport/) to set up an external Open Id provider, and have managed to get this working without issue. The end-result of this seems to be that I can use this newly created auth provider as a method of logging into GLUU itself, if I understand the process correctly? My question is, we have a requirement to use the GLUU server as a central auth server to generate access (bearer) tokens from our external providers' API's and use them in our local web applications. Can this be done using Passport, or some other feature available in GLUU? For example, let's say our GLUU server is Address A, our external vendor is Address B, and App 1 is our web app we need to integrate to our external vendors with: Can App 1 connect to Address A (our local GLUU server), have GLUU connect to Address B (our external vendor) and return an access token to App 1 to allow for direct access to Address B's API's? Please let me know if you require more information. Thank you, Kind regards, Eduard Kruger.
Gluu 4.4 Ubuntu 22.0 Oxd 4.1 Ubuntu 22.0
closed

Answers

By Michael Schwartz Account Admin 06 Jun 2022 at 10:21 a.m. CDT

Copy
Michael Schwartz gravatar
``` To generate access (bearer) tokens from our external providers' API's and use them in our local web applications. ``` Access tokens are short lived, so even if you return an access token from the external OAuth AS during authentication (which you could probably achieve in the passport-js person authentication interception script), you may need the refresh token to get a new access token when you call the API. So the login process by itself is not going to solve your requirement. The Gluu introspection interception script might help--this gets called when the client requests an access token (i.e. it is called before the token is minted. However, as a backchannel stateless call, how would you determine which refresh token to use to get an access token from the backend OAuth AS? It's possible if you can send session info in the request, but it's tricky. Net-net, I would try to configure your internal web applications to accept the access tokens from the Gluu Server. This will give you the most flexibility. I'm closing this ticket because it's a little outside the scope of community support. But feel free to comment further here.

Post an answer