By: Poonam Sharma user 07 Nov 2019 at 3:36 p.m. CST

8 Responses
Poonam Sharma gravatar
Hi, I'm working on a scenario where in we would like to use standard OAUTH 2.0 flows with Gluu to achieve the following: 1) User accesses a web-application protected by Gluu 2) web-application realizes that the user is not authenticated and crafts an Authentication request and redirects the user to Gluu for authentication. Here, we would like to use an external login page rather than Gluu's default login page. 3) User authenticates and gets redirected back to the web-application with access token and ID token. I would like to understand, is it possible to externalize the gluu login page ? if yes, how would the authentication takes place in that scenario ? How would the custom login page validate the username and password ?

By Michael Schwartz staff 07 Nov 2019 at 4:26 p.m. CST

Michael Schwartz gravatar
might make sense to schedule a sales call st

By Poonam Sharma user 08 Nov 2019 at 1:42 a.m. CST

Poonam Sharma gravatar
Thanks for your response. This work is not for any customer. I am trying to evaluate different IAM products for this standard flow and trying to understand what degree of customization (and ease ) is required with different products to achieve this. So at this point, any ideas whether it is doable or not doable and what it requires is enough for me. Thank you :)

By William Lowe staff 08 Nov 2019 at 5:34 p.m. CST

William Lowe gravatar
We're working on better handling for this.. will be likely be added as a new feature in an upcoming release, perhaps 4.1. Thanks, Will

By Michael Schwartz staff 08 Nov 2019 at 5:44 p.m. CST

Michael Schwartz gravatar
Remember that part of the goal with Gluu was to use open standards: primarily OpenID Connect and SAML. If you externalize the login page, you are not using open standards. Thus, you are dooming your customer to a proprietary solution, where lock-in and high switching costs are the inevitable result. Yes... old Web Access Management products used to work like that. But also, customers would get locked in to old web access management products. But with that said, if you don't care about standards, we are publishing a mechanism using the ROPW OAuth flow, which will return a cookie in the access token. A web client could take this cookie and write it as a domain cookie. We're about to publish a blog on this with a sample script. Possible--Yes! Advisable?

By Poonam Sharma user 09 Nov 2019 at 2:12 a.m. CST

Poonam Sharma gravatar
Thanks for your response Mike and Will. I understand your point but then there are situations where such customizations become inevitable. In many cases, customers have their own UI building teams who are comfortable in certain UI technology, have existing framework and stuff .. about ROPC flow, How would the flow work ? Remember that the external login page is not part of the relying party (web-app), it is a totally separate application hosting a set of centralized authentication methods via the login page (username and password being one of those). Thanks

By Poonam Sharma user 09 Nov 2019 at 2:19 a.m. CST

Poonam Sharma gravatar
Does the login page application becomes the relying party here (instead of the original web-app) and crafts the ROPC flow and gets back an access token. In that case, how would the original web-app get's the access token ?

By Poonam Sharma user 11 Nov 2019 at 8:57 a.m. CST

Poonam Sharma gravatar
Any thoughts please ?

By Michael Schwartz staff 11 Nov 2019 at 2:12 p.m. CST

Michael Schwartz gravatar
Please schedule a meeting to discuss the business opportunity. If you need a time that is a little earlier, I can do 6am US Central Time (Chicago).