Sunday, June 21, 2015

Shared Consent Atrribute Name

This blog was meant to be published last month but I was held up with moving to new office. (Yes, we are now in Fusionopolis Place, situated right next to INSEAD and the MRT/Metro is right below our building.)

Of course, in between, I had a short family vacation in Phuket, Thailand where I ran the 10th Laguna Phuket International Marathon.

Back to today's topic ...  Lets's assume a scenario as follows:

  1. OpenAM acts as a OAuth 2.0 Provider
  2. An application is protected with OAuth 2.0 (aka it is OAuth 2.0 Client enabled)

When an user access the application for the 1st time, the OAuth 2.0 client will redirect to the OAuth 2.0 provider. In this example, the OAuth 2.0 provider is OpenAM. Thus the OpenAM Login Page will be displayed.

After successful authentication, OpenAM will present the user with an authorization decision page.

When the checkbox is ticked and Allow button is clicked, the user entry in LDAP will be updated, specifically an attribute that was defined during configuration in OpenAM console "Shared Consent Attribute Name". In this example, the attribute name is defined as oauth2consent.

When the user entry is updated, the aooauth2consent attribute will be populated with the following data format:

 [oauth 2.0 client name] [attribute1] [attribute2] [attribute3] ...

Now, in some scenarios, for example Intranet applications, customers would not like the authorization decision page to be shown. 
How can we workaround this since OpenAM does not have the capability to hide this page at the moment?

The simple solution is to provision directly to the LDAP, specially the oauth2consent attribute with the data format shown above. 

PS: Do remember to add oauth2consent into LDAP User Attributes in Data Store. Otherwise, OpenAM is not able to update the user attribute in the LDAP.

No comments:

Post a Comment