Hello,
Just after advice regarding user authentication in OPA. Our final solution will use RightNow and OPA but it is NOT the RightNow/OPA cloud offering - our OPA installation is stand alone. The solution must also be robust against malicious URL parameter passing.
We came up with two scenarios:
- Use RightNow and customisations trigged by events in RightNow & OPA, or
- Utilise the authentication provided in WebLogic.
Specifically, for (1):
- Authenticate username and Password using RightNow against users set up in RightNow.
- RightNow then creates a valid session.
- Create custom code that gets fired after RightNow authentication that:
- Retrieves the session identifier from memory and persist it to DB
- Generate the URL to OPA
- Redirect to OPA given URL in (ii)
- Create custom code that is called by the OnSessionStarted in OPA that then checks that a valid session has been created in RightNow by checking the database (matching on cookie and session identifier).
For (2):
- Same as a, b, c in (1):
- Weblogic custom authentication provider queries RightNow DB that there is a valid session for the user.
Questions:
- Does RightNow have an API/web service that will tell whether a specific user has a valid session?
- Is it possible to "plug in" custom code that is fired after RightNow authentication, before redirection to a custom URL?
- Is it possible to retrieve the RightNow session identifier from memory?
Does anybody have a critique of this approach? Are there any other approaches you would recommend? Or even better, does anyone have any code examples that they could share for a similar scenario?
Other approaches we have tried include:
- Capture the username and password in OPA and then show the rest of the interview dependent on a Boolean attribute. However this would not be secure as parameters could be passed through the URL and you cannot encrypt the URL in OPA.
- Embedding rulebase's in an iFrame of an APEX application but the public would still be able to access the URL of the iFrame.