<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Oh, that’s different, then — you’re really just changing the primary authentication mechanism, which is controlled by the user-context.xml file as you’ve found. You’ll also need to set up the UserInfoService to point to somewhere that can look up user information for you at runtime. <div class=""><br class=""></div><div class="">Take a look at the LDAP-based server or the MIT server for examples on how to do this:</div><div class=""><br class=""></div><div class=""><a href="https://github.com/mitreid-connect/ldap-openid-connect-server" class="">https://github.com/mitreid-connect/ldap-openid-connect-server</a></div><div class=""><a href="https://github.com/MIT-Mobile/oidc.mit.edu/" class="">https://github.com/MIT-Mobile/oidc.mit.edu/</a></div><div class=""><br class=""><div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 1, 2016, at 6:11 PM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div id="divtagdefaultwrapper" style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-size: 12pt; background-color: rgb(255, 255, 255); font-family: Calibri, Arial, Helvetica, sans-serif;" class=""><p style="margin-top: 0px; margin-bottom: 0px;" class=""></p><div class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">Hi Justin,<br class="">Thank you!</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I just want to override user-context.xml and configure in addition to security:form-login additional authentications.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">For example security:http-basic.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Why it is not possible?</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I do not need the client and rp never see the basic authentication header (or the Kerberos tickets) but I need IDP will see it. </div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Best regards,</div><div style="margin-top: 0px; margin-bottom: 0px;" class=""><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div></div><br class=""><p style="margin-top: 0px; margin-bottom: 0px;" class=""></p><div style="" class=""><hr tabindex="-1" style="display: inline-block; width: 886.890625px;" class=""><div id="divRplyFwdMsg" dir="ltr" class=""><font face="Calibri, sans-serif" style="font-size: 11pt;" class=""><b class="">From:</b><span class="Apple-converted-space"> </span>Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class=""><b class="">Sent:</b><span class="Apple-converted-space"> </span>Thursday, September 1, 2016 5:18 PM<br class=""><b class="">To:</b><span class="Apple-converted-space"> </span>Michael Furman; <a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class=""><b class="">Subject:</b><span class="Apple-converted-space"> </span>RE: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.</font><div class=""> </div></div><div class=""><div class="">No, this won't work and isn't using OAuth properly. You don't want the client app to intercept the credentials, you can have the server accept them directly. We've deployed the server using Kerberos authentication, but the client and rp never see the Kerberos tickets. </div><div class=""><br class=""></div><div id="composer_signature" class=""><div style="font-size: 14px; color: rgb(87, 87, 87);" class="">--Justin</div><div style="font-size: 14px; color: rgb(87, 87, 87);" class=""><br class=""></div><div style="font-size: 14px; color: rgb(87, 87, 87);" class=""> <i class="">Sent from my phone</i></div></div><div class=""><br class=""></div><div style="font-size: 16px;" class=""><div class="">-------- Original message --------</div><div class="">From: Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>><span class="Apple-converted-space"> </span></div><div class="">Date: 9/1/16 4:46 PM (GMT+02:00)<span class="Apple-converted-space"> </span></div><div class="">To: <a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><span class="Apple-converted-space"> </span></div><div class="">Subject: [mitreid-connect] mitreid-connect IDP: support additional authentication schemas.</div><div class=""><br class=""></div></div><div id="divtagdefaultwrapper" style="font-size: 12pt; background-color: rgb(255, 255, 255); font-family: Calibri, Arial, Helvetica, sans-serif;" class=""><p style="margin-top: 0px; margin-bottom: 0px;" class=""></p><div class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">Hi all,</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I want to extend mitreid-connect IDP and to support additional authentication schemas, like Basic Authentication (or Kerberos).</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I read the following document:</div><pre class=""><a id="LPlnk829346" href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Server-configuration</a></pre><br class=""><div style="margin-top: 0px; margin-bottom: 0px;" class="">In the current version we have RestAPI clients that accesses our application with Basic Authentication.<br class=""><br class=""></div><div style="margin-top: 0px; margin-bottom: 0px;" class="">I just want to ensure the following flow will work when we will start to use OpenID-Connect.<br class=""><br class=""></div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">1)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>A RestAPI client accesses RP (our application) with the Basic Authentication header</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">2)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>RP redirects the request to mitreid-connect IDP using OpenID-Connect protocol</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">3)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>The modified mitreid-connect IDP authenticates the request using the Basic Authentication header.</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">4)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>mitreid-connect IDP redirects request back using OpenID-Connect protocol</div><div style="margin-top: 0px; margin-bottom: 0px; text-indent: -0.25in;" class=""><span class=""><span class="">5)<span style="font-style: normal; font-variant-caps: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-family: 'Times New Roman';" class=""> <span class="Apple-converted-space"> </span></span></span></span><span dir="LTR" class=""></span>RP (our application) authenticates the request using OpenID-Connect protocol</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Also, I hope the same flow will work for other authentication schemas (e.g. Kerberos).</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Thank you in advance for your help.</div><div style="margin-top: 0px; margin-bottom: 0px;" class="">Best regards,</div><div style="margin-top: 0px; margin-bottom: 0px;" class=""><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div></div></div></div></div></div></div></blockquote></div><br class=""></div></div></body></html>