Digital Developer Conference: a FREE half-day online conference focused on AI & Cloud – North America: Nov 2 – India: Nov 9 – Europe: Nov 14 – Asia Nov 23 Register now

Refine your search by using the following advanced search options.

Criteria	Usage
Questions with keyword1 or keyword2	keyword1 keyword2
Questions with a mandatory word, e.g. keyword2	keyword1 +keyword2
Questions excluding a word, e.g. keyword2	keyword1 -keyword2
Questions with keyword(s) and a specific tag	keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags	keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].

Ask a question

Bluemix SSO Service - End to end flow for external OAuth providers

Question by jim.smith001 (16) | Jan 08, 2015 at 06:48 AM sso ibmcloud oauth

Hello, I see that the new version of SSO Service now features ability to sign on with FB, Google etc.

After quickly going through the example code, it seems that the SSO Service is acting as the proxy and the application need not directly interact with end OAuth providers, say facebook.

Just trying to understand the end to end flow for OAuth requests all the way from bluemix client app, SSO Service and the external OAuth servers ( Auth and resource ). Is this available somewhere ?

If my app (mobile app) is just using facebook API, would it be easier to achieve this via simple javascript/ajax ? Would there be any additional benefits of routing external OAuth requests through SSO Service ?

Also, is the SSO currently limited only for Google / FB / IBM Or it is generic enough to use any external OAuth provider ? An example or high level approach would be really appreciated .

Thanks

Answer by Shane Weeden (455) | Jan 17, 2015 at 04:22 PM

You are correct in that the SSO service acts as a proxy - from one or more configured "identity sources" to a common OpenID Connect consumption model for Bluemix applications. Your application need only act as an OpenID Connect client to your SSO service instance.

Any OAuth relationship with a social provider is between the social provider and the SSO service instance. There is a separate OAuth/OpenID Connect relationship between the SSO service instance acting as an authorizaiton server and your application acting as a client.

If your mobile app wants to use the facebook API, the SSO service is not going to help - you need access to facebook access tokens and your app will have to be a direct client to the facebook graph API.

Today the Single Sign On service is designed for BROWSER SSO interactions, using OpenID Connect as the exposed technology for consuming applicaitons. It has the ability to configure any SAML IDP, an in-cloud user registry, or direct links with only Facebook, Google and LinkedIn. It does not provide access tokens from those Social IDPs for the use of OIDC clients.

0 Share

Bluemix SSO Service - End to end flow for external OAuth providers

1 reply

Follow this question

Bluemix SSO Service - End to end flow for external OAuth providers

1 reply

Follow this question

Related questions