Day 1

Specs and Reverse Engineering

Auth0 Authorize Request

https://example-site.auth0.com/authorize
    ?client_id=xZIBkUQqbdfxK5fiZ5xuyPJWYeIQcb8L
    &response_type=token%20id_token
    &redirect_uri=https%3A%2F%2Fexample-site.com
    &scope=openid%20com.example-site.user.profile
    &audience=https%3A%2F%2Fexample-siteu.auth0.com%2Fapi%2Fv2%2F
    &state=65GsooqVgQd3_HOLpNxsXdCP34VSIRA4
    &nonce=nuJac_IrxnufLAU~gUBZrD~TDUvDShlb&auth0Client=eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOS4xMS4zIn0%3D

Microsoft Authorize Request

https://login.live.com/login.srf
    ?wa=wsignin1.0
    &rpsnv=13
    &ct=1588931461
    &rver=7.1.6819.0
    &wp=MBI_SSL
    &wreply=https%3A%2F%2Flw.skype.com%2Flogin%2Foauth%2Fproxy%3Fclient_id%3D572381%26redirect_uri%3Dhttps%253A%252F%252Fweb.skype.com%252FAuth%252FPostHandler%26state%3D1614c019-54ca-4e16-a29c-105abfd7bfe8%26site_name%3Dlw.skype.com
    &lc=1033&id=293290&mkt=en-US
    &psi=skype
    &lw=1
    &cobrandid=2befc4b5-19e3-46e8-8347-77317a16a5a5
    &client_flight=ReservedFlight33%2CReservedFlight67

Mendix Authorize Request

https://login.mendix.com/oauth/authorize
    ?scope=openid+mx%3Auser%3Aprofile%3Av1%3Aread+offline_access
    &response_type=code
    &redirect_uri=https%3A%2F%2Fsprintr.home.mendix.com%2Fopenid%2Fcallback
    &state=dNqi3LfamVpkvXW8oQMtQAPjlOycrX1hcr5c8Fp-P7g&nonce=ypHaLiXVsNtHo7cGquWkAjYThMEVqjmxCQRB-G_Dwjg
    &client_id=596e4523-6c82-489f-9502-e43687712e06

Mendix Authentication Type is different

CODE

code: more secure mostly backend to backend communication

token: less secure, if you have a single page JS app.

Requirement: client id

We need to register our application to authorization server.

Day 2

Implementation Started

Agenda

Using token based authentication
Challenge: check the user session state when enters the web-site
Challenge: Run MXID3 locally

No event or microflow can be called during a user session started.

index.html

That's solved the issue

user requests my new index.html

index.html

/authorize

if session doesn't exist

home.html

(original index.html)

login.mendix.com

/oauth/authorize

if session exists

redirects to my authorize request handler

/authorize-callback

redirects with access_token parameter

MXID3 local instance configured

No Profile Data Server available
Client needs to be registered
No test user available

MxID3.OpenIDPrefix=https://mxid2-test.mendixcloud.com/mxid2
ProfileServiceClient.EnvironmentPassword={Password}
ProfileServiceClient.EnvironmentUUID={UUID}
ProfileServiceClient.ProfileServiceLocation=https://profile-test.mendixcloud.com/ws/ProfileService/3/soap1

Constants

Day 3

Implement with code type

I've realized token type is not supported in MXID3

Challenges

Get AccessToken and IdToken with Authorization Code
Associate with App User

user requests my new index.html

index.html

/authorize

request tokens

home.html

(original index.html)

if session exists

redirects to my authorize request handler

/authorize-callback

redirects with access_token parameter

/token-callback

get tokens

if session doesn't exist

login.mendix.com

/oauth/authorize

login.mendix.com

/oauth/token

Problem

redirect_uri's must match in both requests.

user requests my new index.html

index.html

/authorize

request tokens

home.html

(original index.html)

if session exists

redirects to my authorize request handler

/authorize-callback

redirects with access_token parameter

/token-callback

get tokens

if session doesn't exist

login.mendix.com

/oauth/authorize

login.mendix.com

/oauth/token

Designed a async mechanizm

Matched the sessions and callbacks

Than I've realized token is in the payload

Day 4

Finalize the implementaion

Challenges

Associate with App User
Bug for multiple sessions
Cannot use dynamic variable as image source
Validate Token Id

I have created a SsoUser entity which extends system.User

Created session based on that user, assign claims in the idToken

Mendix image viewer can't use dynamic image source. So I've used a widget from AppStore

Could not validate token with Auth0 JWT library. Needs Public Key.

access_token has 5 segments instead of 3.

HMAC is 3, + Encryption is 5

Used Nimbus library and discovered oidp/jwks endpoint

https://login.mendix.com/oidp/jwks

Cached keys on application start

Day 5

Added Logout functionality

user requests my new index.html

index.html

/authorize

request tokens

(original index.html)

if ~~session~~ cookie exists

and there's an

associated session

/authorize-callback

redirects with access_token parameter

get tokens

if session doesn't exist

if cookie doesn't exist

login.html

(modified)

if user clicks login

login.mendix.com

/oauth/authorize

login.mendix.com

/oauth/token

redirects to index.html

/logout

logout

user clicks logout

index.html

(original index.html)

login.mendix.com

/oidp/logoff

On-Boarding Project

Day 1

Specs and Reverse Engineering

Auth0 Authorize Request

Microsoft Authorize Request

Mendix Authorize Request

Mendix Authentication Type is different

code: more secure mostly backend to backend communication

token: less secure, if you have a single page JS app.

Requirement: client id

Day 2

Implementation Started

Agenda

No event or microflow can be called during a user session started.

index.html

MXID3 local instance configured

Constants

Day 3

Implement with code type

I've realized token type is not supported in MXID3

Challenges

Problem

redirect_uri's must match in both requests.

Designed a async mechanizm

Matched the sessions and callbacks

Than I've realized token is in the payload

Day 4

Finalize the implementaion

Challenges

I have created a SsoUser entity which extends system.User

Created session based on that user, assign claims in the idToken

Mendix image viewer can't use dynamic image source. So I've used a widget from AppStore

Could not validate token with Auth0 JWT library. Needs Public Key.

access_token has 5 segments instead of 3.

Used Nimbus library and discovered oidp/jwks endpoint

Cached keys on application start

Day 5

Added Logout functionality

Thanks