I'm trying to set up an OAuth2.0 flow for ORCID with Xojo. I found a sample project on github for Facebook and modified the code for the URL and ClientKey I set up with ORCID. When I use the same URL in Firefox it works perfectly, however when I try to load the page in the HTMLviewer it just shows a blank page. Has anyone encountered something similar?
It is important to remember that HTMLViewer in Xojo is not the same as a full web browser. Some oAuth flows are requiring higher security standards than Xojo can provide.
Google is even going so far as to prevent low-security embedded browsers from performing the oAuth flow. They now recommend you make the request with the user's default system browser.
It seems like you will need to change your design to use the system browser instead of the embedded one.
Related
My company is wanting to implement OpenID Connect via Oauth 2.0 across our client software, which comes in Windows, HTML5, Android, IOS, etc. Toward that end, we are trying to find a way of getting the login info back that will work across these platforms.
Our understanding was that a custom uri scheme (i.e., companyname://) was the recommended way of going forward, and we have verified on our end that that would work. However, we have yet to be able to find a provider that would support that configuration. So far OneLogin & Google are both locked to https:// (or http:// for dev), which leaves us something of a conundrum.
So essentially, my question is, were we misled about the custom uri scheme? If so, is there another method we can use that will allow our web & standalone apps to pick up the return info from whichever OpenID providers we go with? We want to keep it open as possible, so we're trying to avoid lock-in APIs and suchlike. Any advice would be appreciated. Thanks.
We do support the custom URI redirect. You'll need to select right type of client when creating a client id on Google developer console.
See the details here.
https://developers.google.com/identity/protocols/OAuth2InstalledApp
One way to support any provider is that you use a Web flow to redirect to a page on your site and then your website does a redirect to a custom scheme.
I am developing MVC application and want to use WIF & Claim based security.
However I am very disappointed with the way login is perfomed. I mean redirection to STS login page and then redirecting back to my page. That is not user-friendly at all.
I want to implement login page in my application (it fact it will be popup dialog). Than using Web API I want to be able to perform STS request and get security token and initialize WIF infrastructure (Principle etc).
Is it a good way to go with?
Did anybody do something similar?
Does anybody have some samples of what I am trying to do?
I just worry that I don't have control over the STS login page layout & style.
Also I will have mobile application and must perform login using Web API service.
What can you advice?
Thanks
Well - you can do that of course. This does not need to be WIF specific. Call a service, pass credentials - and when OK set the login cookie.
But if you want SSO you have to make a user agent roundtrip to the STS - otherwise you cannot establish a logon session.
Consider using MembershipReboot membership provider which uses claims-based security and is not based on microsoft's traditional membership provider.
It does not have a documentation, but in the zip file you can find 2 sample projects that uses MemebershipReboot provider, which explains all you need to know about it.
In fact after reading this blog post today, I decided to use this approach in my current project. I'm still struggling with it now and I'm so excited !
In addition to Ashkan's recommendation Brock Allen provides solid documentation about how to implement MembershipReboot in association with IdentityServer. You can find that their is a way to configure a custom implementation Here. Also their are a few tutorials on vimeo from Dominick Baier (leastprivilege) that will provide a full walk through on getting started! I hope this helps!
I know how OAuth works in web applications that run in a browser, but I'm not sure how OAuth can be implemented in an application that does not run in a browser.
It's easy to display the URL using some kind of a WebView, but how do I get back the information it sends back? My research doesn't reveal a straightforward way to do this.
There are a few Java libraries out there that can do this. (Are you looking for a particular language?)
Scribe is probably the most mature Java library:
https://github.com/fernandezpablo85/scribe-java
There are more libraries for pretty much every language here:
http://oauth.net/code/
Are there any decent examples of the following available:
Looking through the WIF SDK, there are examples of using WIF in conjunction with ASP.NET using the WSFederationAuthenticationModule (FAM) to redirect to an ASP.NET site thin skin on top of a Security Token Service (STS) that user uses to authenticate (via supplying a username and password).
If I understand WIF and claims-based access correctly, I would like my application to provide its own login screen where users provide their username and password and let this delegate to an STS for authentication, sending the login details to an endpoint via a security standard (WS-*), and expecting a SAML token to be returned. Ideally, the SessionAuthenticationModule would work as per the examples using FAM in conjunction with SessionAuthenticationModule i.e. be responsible for reconstructing the IClaimsPrincipal from the session security chunked cookie and redirecting to my application login page when the security session expires.
Is what I describe possible using FAM and SessionAuthenticationModule with appropriate web.config settings, or do I need to think about writing a HttpModule myself to handle this? Alternatively, is redirecting to a thin web site STS where users log in the de facto approach in a passive requestor scenario?
An example of WIF + MVC is available in this chapter of the "Claims Identity Guide":
http://msdn.microsoft.com/en-us/library/ff359105.aspx
I do suggest reading the first couple chapters to understand all underlying principles. This blog post covers the specifics of MVC + WIF:
Link
Controlling the login experience is perfectly fine. You should just deploy your own STS (in your domain, with your look & feel, etc). Your apps would simply rely on it for AuthN (that's why a app is usually called a "relying party").
The advantage of the architecture is that authN is delegated to 1 component (the STS) and not spread out throughout many apps. But the other (huge) advantage is that you can enable more sophisticated scenarios very easily. For example you can now federate with other organization's identity providers.
Hope it helps
Eugenio
#RisingStar:
The token (containing the claims) can be optionally encrypted (otherwise they will be in clear text). That's why SSL is always recommended for interactions between the browser and the STS.
Notice that even though they are in clear text, tampering is not possible because the token is digitally signed.
That's an interesting question you've asked. I know that for whatever reason, Microsoft put out this "Windows Identity Foundation" framework without much documentation. I know this because I've been tasked with figuring out how to use it with a new project and integrating it with existing infrastructure. I've been searching the web for months looking for good information.
I've taken a somewhat different angle to solving the problem you describe.
I took an existing log-on application and integrated Microsoft's WIF plumbing into it. By that, I mean that I have an application where a user logs in. The log-on application submits the credentials supplied by the user to another server which returns the users identity (or indicates log-on failure).
Looking at some of Microsoft's examples, I see that they do the following:
Construct a SignInRequestMessage from a querystring (generated by a relying party application), construct a security token service from a custom class, and finally call FederatedSecurityTokenServiceOperations.ProcessSignInresponse with the current httpcontext.response. Unfortunately, I can't really explain it well here; you really need to look at the code samples.
Some of my code is very similar to the code sample. Where you're going to be interested in implementing a lot of your own logic is in the GetOutputClaimsIdentity. This is the function that constructs the claims-identity that describes the logged-in user.
Now, here's what I think you're really interested in knowing. This is what Microsoft doesn't tell you in their documentation, AFAIK.
Once the user logs in, they are redirected back to the relying party application. Regardless of how the log-on application works, the WIF classes will send a response to the user's browser that contains a "hidden" HTML input that contains the token signing certificate and the user's claims. (The claims will be in clear text). At the end of this response is a redirect to your relying-party website. I only know about this action because I captured it with "Fiddler"
Once back at the relying party web site, the WIF classes will handle the response (before any of your code is run). The certificate will be validated. By default, if you've set up your relying party web site with FedUtil.exe (by clicking "Add STS Reference in your relying party application from Visual Studio), Microsoft's class will verify the certificate thumbprint.
Finally, the WIF framework sets cookies in the user's browser (In my experience, the cookie names start out with "FedAuth") that contain the users claims. The cookies are not human readable.
Once that happens, you may optionally perform operations on the user's claims within the relying party website using the ClaimsAuthenticationClass. This is where your code is running again.
I know this is different from what you describe, but I have this setup working. I hope this helps!
ps. Please check out the other questions I've asked about Windows Identity Foundation.
UPDATE: To answer question in comment below:
One thing that I left out is that redirection to the STS log-on application happens by way of a redirect with a query-string containing the URL of the application the user is logging in to. This redirect happens automatically the first time a user tries to access a page that requires authentication. Alternatively, I believe that you could do the redirect manually with the WSFederationAuthentication module.
I've never tried to do this, but if you want to use a log-on page within the application itself, I believe the framework should allow you to use the following:
1) Encapsulate your STS code within a library.
2) Reference the library from your application.
3) Create a log-on page within your application. Make sure that such page does not require authentication.
4) Set the issuer property of the wsFederation element within the Microsoft.IdentityModel section of your web.config to the login page.
What you want to do is an active signin. WIF includes WSTrustChannel(Factory) which allows you to communicate directly with the STS and obtain a security token. If you want your login form to work this way, you can follow the "WSTrustChannel" sample from the WIF 4.0 SDK. Once you have obtained the token, the following code will take that token and call the WIF handler to create a session token and set the appropriate cookie:
public void EstablishAuthSession(GenericXmlSecurityToken genericToken)
{
var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken(new XmlTextReader(
new StringReader(genericToken.TokenXml.OuterXml)));
var identity = handlers.ValidateToken(token).First();
// create session token
var sessionToken = new SessionSecurityToken(
ClaimsPrincipal.CreateFromIdentity(identity));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
}
Once you have done this, your site ought to behave the same as if passive signing had occurred.
You could use the FederatedPassiveSignIn Control.
Setting your cookie like this:
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
Doens't work for SSO to other domains.
To cookie should be set by the STS not at the RP.
I'm a bit confused about all this OAuth bruhaha in the sense that all the examples I can find are for web applications and none of them for desktop applications.
I understand the Web application work flow, but that includes some redirections between the web app and twitter.
How does one do this in an desktop application?
How does the redirects work?
Should I have to include a Web Browser object?
Is there a way to go around this?
Could anyone point me to resources instead of a full blown solution please?
Thanks
Not sure which language you're using, but the .NET library for Twitter called Tweetsharp has a post on using Tweetsharp from a desktop app and authenticating via OAuth. See http://tweetsharp.com/?p=68. If you're not using .NET then perhaps it will inspire something you can do?
Basically, what tweetsharp does is launch the browser to the authentication URL and then waits for the user to return. I don't know of any way to do this other than something like that (Or include a WebBrowser control of some kind to launch the authentication URL in your own window).
Here's a straightforward solution, implemented as a set of PHP scripts for running from the command line. Well documented and explained, with a helpful 'verbose' option for debugging.
http://nullinfo.wordpress.com/oauth-twitter/
After some poking around and asking some questions about this subject to some other programmers, it looks like it's still an ongoing discussion, with no visible light at the end of the tunnel.
But for people interested on the ongoing discussion, here's the best link to have:
OAuth Desktop Discussion
I've seen a few desktop apps get around this by effectively embedding a browser into their program, so they can just open the in-app browser window to let you do the login and authorisation. This strikes me as a bit of a cheat or defeat of purpose because you still end up typing your ID and password inside the application anyway.
One possibility I was thinking of was, your desktop application could embed a mini HTTP server inside it. So then it launches the default browser to perform the authorisation, with a callback URL something like http://127.0.0.1:8765/oauthorized and then just listen for it.
Would that work?
Not sure what you would do for console applications... spawn a copy of lynx?
Include a WebBrowser control in your app. Put it in a panel or a separate form that you'll Form.ShowDialog().
Create a callback for the browser's successful posting of OAuth and one for a rejection. Don't forget to check for a FailWhale.
In the callback, you close the panel or form and store the token.
Here's a nice overview with sample code and everything: http://tweetsharp.com/2009/04/how-to-authenticate-a-desktop-application-with-oauth/