Bluemix SSO Service - End to end flow for external OAuth providers
Hello, I see that the new version of SSO Service now features ability to sign on with FB, Google etc.
After quickly going through the example code, it seems that the SSO Service is acting as the proxy and the application need not directly interact with end OAuth providers, say facebook.
Just trying to understand the end to end flow for OAuth requests all the way from bluemix client app, SSO Service and the external OAuth servers ( Auth and resource ). Is this available somewhere ?
If my app (mobile app) is just using facebook API, would it be easier to achieve this via simple javascript/ajax ? Would there be any additional benefits of routing external OAuth requests through SSO Service ?
Also, is the SSO currently limited only for Google / FB / IBM Or it is generic enough to use any external OAuth provider ? An example or high level approach would be really appreciated .
Thanks
You are correct in that the SSO service acts as a proxy - from one or more configured "identity sources" to a common OpenID Connect consumption model for Bluemix applications. Your application need only act as an OpenID Connect client to your SSO service instance.
Any OAuth relationship with a social provider is between the social provider and the SSO service instance. There is a separate OAuth/OpenID Connect relationship between the SSO service instance acting as an authorizaiton server and your application acting as a client.
If your mobile app wants to use the facebook API, the SSO service is not going to help - you need access to facebook access tokens and your app will have to be a direct client to the facebook graph API.
Today the Single Sign On service is designed for BROWSER SSO interactions, using OpenID Connect as the exposed technology for consuming applicaitons. It has the ability to configure any SAML IDP, an in-cloud user registry, or direct links with only Facebook, Google and LinkedIn. It does not provide access tokens from those Social IDPs for the use of OIDC clients.