I want to implement a custom authenticator for /oauth2/token,
Where along with grant_type, username, password, and scope will pass one more parameter OTP and that will be validated with custom logic.
Is there any way of verifying additional parameters with external custom logic?
I can see in WSO2 docs, Writing a Custom OAuth 2.0 Grant Type but that will verify the additional params internally.
Related
Is there any stadated way for replacing ID tokens of 2 authorization servers ?
For example, i have a service that you can login with an external ID Token but my service is also an authorization server and therefor i want to allow users exchange external ID Tokens with my service ID token.
OAuth2 specification defines following grant types:
authorization code
implicit grant
resource owner password credentials
client credentials
But it also supports defining additional grant types where required:
New authorization grant types can be defined by assigning them a
unique absolute URI for use with the "grant_type" parameter.
Per specification, new endpoints, parameters, response types and error codes may be defined to support the grant type extension.
When implemented, a client can make a request providing new grant type:
POST /token
grant_type=id_token&id_token=external-token&...
which would validate incoming token and issue your service's token.
Here are some links from oauth servers supporting custom grant types for inspiration:
https://oauthlib.readthedocs.io/en/latest/oauth2/grants/custom_grant.html
https://is.docs.wso2.com/en/latest/learn/writing-a-custom-oauth-2.0-grant-type/
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html
Whats the best way to programmatically authenticate user using OAuth 2.0 Authentication Code Grant ?
Wondering if there is a way to combine step A and B as stated on the spec - https://www.rfc-editor.org/rfc/rfc6749#section-4.1, i.e pass user ID and password as part of authorize call ? Something like,
/authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&user_id=john.doe#mail&password=xxxx
I believe one way is to submit() the form returned by the Authorization server with user id and password. Taking this route would create a dependency on the form and any changes to it given it is not a public API.
The Authorization Code grant is designed to be used with a full browser i.e. should not be used to authenticate the user programmatically. In fact using it programmatically would defeat the purpose of OAuth 2.0 to not divulge the user's credentials to the Client.
Grants like Client Credentials and Resource Owner Password Credentials have been designed to be used with non-browser Clients.
Alternatively you could create an access_token and refresh_token for your Client in a browser using the Authorization Code grant, then pass the tokens to your non-browser Client so that it can use the refresh_token on its own to obtain a new access token when the old one expires.
I have a unique scenario in which we need to sync external oauth access-token with wso2am-key-manager.
Scenario is as follows, user login to our internal IDP server and IDP server generates access-token upon successful verification of user credentials so now the requirement is the UI(application) should be able to invoke API on wso2am using that access-token which was generated by IDP. So that is only possible if we sync that external-access-token to Wso2am-Key-manager. I am not able fit this requirement with available grant types, password, client-credential as all these grant types generates new access-token which we dont want.
please advise how to achieve it. thank you.
WSO2 API Manager supports to configure external key manager[1].So you can configure your IDP as keymanager to WSO2 APIM
[1] https://docs.wso2.com/display/AM200/Configuring+a+Third-Party+Key+Manager
I have a use case where a web application needs to let users authenticate in two different ways but using the same user data store (aka IDP) via SAML.
User's browser is redirected to IDP and redirected back with SAML assertion (aka WebSSO Profile).
User makes request to SP providing their credentials via Basic Authentication. SP would then need to send the user's credentials to the IDP and the IDP would provide an assertion all through a back channel (server to server).
I'm using Spring Security SAML extension. The sample application in Spring SAML contains both basic authentication with username and password and SAML-based authentication but the Basic Auth portion uses local accounts defined in the securityContext.xml file. I need to use the user accounts on the IDP. Is this possible? If so, how do I configure Spring SAML?
There is no standard SAML WebSSO mechanism which would allow SP to request assertion for a specific user by providing her credentials. You might want to look into WS-Trust standard which covers such use-cases using its Request security token methods (RST/RSTR calls). Another quite standardized way to do this is Client Credentials grant of OAuth 2.0. Both are out of scope for Spring SAML, but can be combined with it.
We are using OAUTH2 token mechanism to protect REST webservices. Is there possibility of configuring two possible Authentication mechanism in single token generator and validate it.
authentication(based on userId and password).
authentication(based on merchantId and password).
So that it can be used to generate valid tokens and user being authenticated. This type mechanism is needed to protect mobile based rest services and web application using webservices. correct if am wrong.