Thursday, July 23, 2015

Goggle OAuth2 Authentication Module in OpenAM - Part II

I find the following OAuth 2.0 Playground from Google very useful.


Step 1 exposes all the possible APIs/Scopes that are "query-able". 




Step 2 allows one to exchange authorization tokens with Google.

Steps 3 allows listing possible operations.



Finally, one can send a request to Google OAuth2 Provider.



A response is returned with requested information.



I find this very useful when trying to configure Google OAuth2 authentication module in OpenAM.


Wednesday, July 22, 2015

Goggle OAuth2 Authentication Module in OpenAM

I was configuring OAuth2 Authentication Module in OpenAM and trying to integrate with Google OAuth2 Provider.




I need the user profile and email from Google.  I know this has to be set in the Scope. So, I tried "profile, email".




But I kept getting the following error:


Error: invalid_scope 

Some requested scopes were invalid. {valid=[https://www.googleapis.com/auth/userinfo.email], invalid=[profile,]}




After I removed the comma, it works!



Very strange! I recalled the Scope for Facebook was email, read_stream. The hint is as follows:

The OAuth scope is a comma-separated list of values that define the type of information that can be retrieved from the user profile service. The values will depend on the type of permissions that the user has given to the user profile application in the OAuth 2.0 Provider.

Example: email, read_stream



.

Tuesday, July 21, 2015

ForgeRock Professional Service

These days, when ForgeRock sells subscriptions, it has an option to purchase Professional Service as a bundle. Free or not? I'm not too sure. It's part of price negotiation, I believe. 

The ForgeRock Professional Service can be utilized as follows: 


I think the original intend is to get customers up-to-speed with Open Identity Stack (OIS) deployment. This is especially helpful/applicable to customers who are more technical-savvy and would like to deploy OIS by themselves. High-level Architecture Workshop will be helpful.

Now, what if a SI who is well-trained in OIS is involved?

Customers, being customers, will want to cut cost. Always.

The worst case scenario is for a customer to ask the SI to cut-off a few man-days from implementation cost, since the customer can utilize Product Specialist Field Assistance. Wow! Unbelievable, isn't it? Nay, this should not happen at all and it really doesn't make sense. If customer insists, I think the best way is to walk away.


I think this Professional Service should be best utilized in Production, especially On-Site troubleshooting and Performance Analysis. There will be situations (or there had been?) where a site is badly deployed by a so-so System Integrator (SI) and is now causing production issues. It would be real hard for support engineers to provide remote support. An on-site troubleshooting comes in handy.


.