Authentication customization for an specific use case of "anonymous" users

By: Marcos Mm user 13 Jul 2021 at 7:28 a.m. CDT

3 Responses
Marcos Mm gravatar
I'm just exploring Gluu with Test Drive in a Debian 10 VM to analyze if it fits in our scenarios. First of all thanks a log for this great piece of software, it really looks great! It pretty much covers all our requirements but I wanted to ask about one customization we would need. In our current in-house authentication system we have one specific type of users: anonymous users. What they actually are is really on the fly created ones, with very limited capabilities. Basically our OAuth2 token endpoint is able to emit access_tokens for those "unauthed" requests (it's actually a relaxed password grant that allows empty passwords). In order to start adopting a full fledged solution like Gluu we would need to keep this at least in the first iterations of the integration of Gluu in our platform. Would it be possible to implement this as an extension like the ones found here https://github.com/GluuFederation/community-edition-setup/tree/master/static/extension? The high level process of what we do now is: * post /token with a well known username and an empty password * this generates a TTL-ed user with very restricted permissions and returns the appropriate access_token * the "anonymous" user can now log in using the provided access_token Any suggestion or hint is highly appreciated. Thanks in advance
Gluu 4.2.3 Debian 10.0
closed

Answers

By Aliaksandr Samuseu staff 13 Jul 2021 at 8:02 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Marcos. I'm not sure there is a definitive answer to your question within scope of Community Support. Customizations of such degree are not covered by it, and if you are considering purchasing a support plan from Gluu, I would suggest to may be [book a call](https://gluu.org/booking?utm_source=website&utm_medium=page&utm_campaign=contact-us) with Michael and the brass, and find out what plan may cover such requirements.

By Aliaksandr Samuseu staff 13 Jul 2021 at 8:10 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Overall, the flow you described seem similar to Gluu's Resource Owner Passwrod Credentials grant flow. In this flow, you indeed POST some user's creds to `/token` endpoint, and receive an access token in a response. Though the user in question is expected to already be present in the system. I'm not aware whether it's possible to make it work with an empty password, and enroll user on the fly, but Gluu does offer a plug-in custom script allowing you to implement some custom logic for this flow, so it may be possible even without further customizations to underlying APIs (which is much more challenging and costly task). As said before, if you are considering purchasing a support plan from Gluu to help with your integration projects, it's better to discuss it in a meeting, with responsible dev team members present and able to provide their assessment.

By Marcos Mm user 14 Jul 2021 at 5:42 a.m. CDT

Copy
Marcos Mm gravatar
Thanks for the prompt response, Aliaksandr. I'll read about the APIs to check the viability of the solution. I'll reach out if we need further support. Thanks!

Post an answer