I have a problem with node-oidc-provider.
I want the client list to be stored in the database, but I haven't found a solution.
Please help me!!!
You can have your client definitions stored in a DB, just have your adapter for the Client model respond to the find(id) invocation.
https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#clients
In addition to these clients the provider will use your adapter's find method when a non-static client_id is encountered.
For storing clients in the database, you can make use of below link to store the clients as well as other tokens
https://github.com/panva/node-oidc-provider/blob/main/example/adapters/contributed/sequelize.js
For creating tables, you can use below link
https://github.com/roggervalf/node-oidc-provider/tree/examples/example/migrations/sequelize
Related
I want to use the QBWebConnector for an app that has multi-tenant DB. It means I need to know the tenant when my app receives data from QBWebConnector to populate the DB correctly.
I am using a PHP kit from consolibytes.
What are my options here?
I see that the functions which are called for building and receiving XML request have params like $user and $extra.
The $user is the user which is used by QBWebConnector to authenticate with the SOAP server.
So should I create multiple QWC files for each tenant as a user and use that to identify the tenant?
And what is this $extra in the param? Should I use that? If then how?
I also see we have callback options and hooks when we create QuickBooks_WebConnector_Server. I am not sure the use of them but can they be used in any way?
Thanks for taking the time to help me.
So should I create multiple QWC files for each tenant as a user and use that to identify the tenant?
Each tenant in your application should have their own username, and thus their own .QWC file.
If your application has multiple users per tenant, you do not need a .QWC file per user. You need a .QWC file per tenant.
And what is this $extra in the param? Should I use that?
The $extra param is for passing additional data to your callback functions. It has nothing to do with tenancy or authentication, so don't use it for that.
I also see we have callback options and hooks when we create QuickBooks_WebConnector_Server. I am not sure the use of them but can they be used in any way?
They can be used, but not for tenancy or authentication.
I am trying to put together some documentation on changes that need to be made to the Database back-end when different actions are performed so they can operate with IdentityServer4, but realizing that I am not sure what items in the database are affected when you perform actions like (adding a new user, adding a new client, and a scope, etc..) I am using this to get a better understanding of how all the elements work together, and how to relate to each other - See below which I am needing to expand on.
Can anyone with good experience with IdentityServer backend help me?
[Adding a new user]
- add a record to dbo.AspNetUsers – All user pertaining information.
- add a record to dbo.AspNetUserClaims – Identifying information stored similar to Key/Value Pair set with a reference pointing to the User
[Adding a new Client – (Controller Web API Endpoint)]
- add a record to dbo.Clients – Details that define the client
- add a record to dbo.ClientGrantTypes – All grant types allowed for authorization to the specified client.
- add a record to dbo.ClientSecrets – Password and secret information pertaining to the client.
- add a record to dbo.ClientScopes – Scope name matched to the ClientId for allowing. You will need to add scope(s) for the client so it can be accessed.
-?? Not sure how IdentityResoure and IdentityClaims are used here, and also how oidc ones are used here.
?? What is the difference between Api and Client in Identity Server DB?
[New Claim type is added, and needs to be included in the data returned with the JWT token]
...
use IdentityServer4.AspNetIdentity for storing users in SQL Server using EF http://docs.identityserver.io/en/release/quickstarts/6_aspnet_identity.html
use IdentityServer4.EntityFramework for storing clients and resources configuration in SQL Server using EF.
http://docs.identityserver.io/en/release/quickstarts/8_entity_framework.html
Look into the samples repository for code samples.
Im trying to undertand how to properly identify which provider a returning authorization request was initiated by. I see three approaches:
Use provider specific redirect_uri callback URIs. /oauth2/<provider-name>/callback etc.
Encode provider id/name in state parameter somehow
Store a pending provider id/name in the web session
Try to verify response with all used providers
I've read parts of the OAuth2 spec but I can't find anything discussing it. Looking at other client implementations it seems as provider specific URIs is the most common solution. Am I missing something?
Clients may not be multi-tenant and are tightly integrated with a single Authorization Server, so there's no need to store a provider identifier because there's only a single fixed one. That may be the reason why there's no obvious solution.
Multi-provider clients like your's should store the provider identifier as part of the state. This is because the state should be protected, and the provider specific redirect_uri is not. One could play an access token for provider A against the callback for provider B and thus defeat the purpose of a provider specific callback.
state can be protected either by reference to server state or to an encrypted cookie, or by value in the form of a self-contained encrypted structured value for the state parameter, and thus can be a safe mechanism to store the provide identifier.
I need to call a webservice which takes as parameters things like the database name, schema name, login credentials etc.
I'd ideally like to call the webservice directly from jQuery, but I feel that these parameters belong in the web config so perhaps I should be calling the webservice indirectly through an ajaxed MVC controller method.
What are peoples opinions on this? Is there an elegant solution?
Edit: It's just occured to me that I'll be exposing the server credentials to the client if I make the call from jQuery, so I guess that isn't an option unless there's a clever trick I don't know about.
Elegance is in the eye of the beholder, but you could institute a token-based system. Users of your service would apply ahead of time to use your service. You would issue a token (a GUID for this example). Each call to the service, the user would include that token as a parameter, or better, part of the request headers. On the server, you could use that token to find out the items needed by that user (database and schema names, login credentials, etc).
Again, elegance is in the eye of the beholder, but a solution like this does address the concern in the question: exposing server credentials to the client.
Jonathan has a good answer, but you could also create some sort of serialized data object that contains all the info you're concerned with, and write it to the client as an encrypted string. pass the string to the web service, and the web service would be able to decrypt and parse as needed.
I installed the ruby on rails plugin "open_id_authentication". After running the migration it created two tables "open_id_authentication_associations" and "open_id_authentication_nonces" does anyone know what those tables do and how they are used?
Thanks
iHeartDucks,
Here is a site that has much more discussion on what exactly is happening with the open_id_authentication plugin, and why it needs these tables. You will find:
These tables, "open_id_authentication_associations" and "open_id_authentication_nonces", store information about the messages received from OpenID identity providers, including authentication keys.
Thanks!
The open_id_authentication_nonces table stores the openid.response_nonce value, which is basically a string starting with a timestamp and ending with a unique value.
The open_id_authentication_associations table stores information like the OpenID server url, username, secret, etc - the information needed for the user to authenticate.