We are trying to build application for Mobile and web
react-native and react js respectively.
As we see legacy spring-security-oauth is deprecated, we would like to use spring authorization server 5 project
Do this authorization server project supports Password Grant, as we have challenges in doing Authorization code grant for custom login Authentication like biometric
The Spring Authorization Server does not support authorization grant type PASSWORD. This project is mainly focused to deliver the Authorization server as per the latest OAuth 2.0 security practices in which the use of Resource Owner Password Credentials grant is disallowed.
Related
I have a authorization server which generates and store bearer tokens for username and password log in using the oauth2 password grant. I want to integrate social sign in (Google and facebook) to my existing authorization server. Since my other resources are protected by authorization server how do I generate a Bearer tokens for google/facebook signed in users ? so i can access my protected resources using that token.
Note: Bearer tokens are stored in mysql db. (Using JdbcTokenStore)
Since I already have password grant implementation, I'am glad if you can give me direction to do with the current authorization service using spring-boot and spring security.
Thank you.
There are 2 main ways to implement this:
Federation, so that the Authorization Server manages integration with social identity providers
Handle different providers in your apps, which will add complexity to both your UIs and APIs
Personally I much prefer the first option, which only requires configuration changes - and no code changes in UIs and APIs. My Federated Logins Blog Post may help you to understand your architectural choices.
It is worth doing some early technical testing to see if these steps work:
Adding an OAuth web client to Google / Facebook
Adding an Identity Provider to your Authorization Server
I'm struggling theese days on the possible way to configure an Authentication + authorization system to consume a REST API from a mobile application.
Scenario:
We've developed 3 independent portals for a big customer that serves several users.
To enable a SSO for the 3 portals we've implemented a SAML authentication system using SimpleSAMLphp.
Every portal has a service provider and they make assertion requests against a central IdP.
The IdP checks username and password against a database where passwords are hashed and stored during registration.
After the login, the authorization on the portals is handled by the session on the server, and so far everything was fine.
Now the customer asked us to develop a mobile application that will require the users to login and access several of their protected resources collected during the usage of the 3 portals.
We've decided to develop a frontend application using ionic that will consume a REST API made in node.js that will serve all the data (both protected and unprotected resources).
Now here comes the question: to authorize access to protected resources on the Api we'd like to use JWT to easily achieve a stateless system.
The doubt is how to perform the authentication? We've the opportunity to check the credentials directly against the database skipping the SAML process, otherwise we've to implement a solution where the SSO IdP acts as authentication provider and then when an attempt is successful the API app will get the response from the idp and then issue a signed jwt to the consumer client. Is this second way a common implementation? Is it possible?
What path do you suggest to follow? The first could be very easy to achieve, but since we're using html+js for the app's frontend, if we decide to use the second solution probably in the near future we could recycle some code from the app to modernize some functions on the web portals, maintaining the jwt pattern and consuming the new Api also on the web.
I believe that in this case will be easier to ask a token to the new api using someway the logged in user's data already in the session of the portal. Sounds possible?
I hope that everything was clear, any help will be appreciated!
Thanks
The key goal here is to code your apps in the best way, via
the latest security standards (OAuth 2.0 and Open Id Connect).
SAML is an outdated protocol that is not web / mobile / API friendly, and does not fit with modern coding models.
Sounds like you want to do OAuth but you do not have an OAuth Authorization Server, which is a key part of the solution. If you could migrate to one you would have the best future options for your apps.
OPTION 1
Use the most standard and simple option - but users have to login with a new login screen + credentials:
Mobile or Web UI uses Authorization Flow (PKCE) and redirects to an Authorization Server to sign the user in
Mobile or Web UI receives an access token after login that can be sent to the API
Access token format is most commonly a JWT that the API can validate and identify the user from
The API is not involved in the login or token issuing processes
OPTION 2
Extend option 1 to federate to your SAML Identity Provider - enables users to login in the existing way:
The Authorization Server is configured to trust your SAML based identity provider and to redirect to it during logins
The SAML idp presents a login screen and then posts a SAML token to the Authorization Server
The Authorization Server issues OAuth based tokens based on the SAML token details
OPTION 3
Use a bridging solution (not really recommended but sometimes worth considering if you have no proper authorization server - at least it gets your apps using OAuth tokens):
Mobile or Web UI uses Resource Owner Password Grant and sends credentials to a new OAuth endpoint that you develop
OAuth endpoint provides a /oauth/token endpoint to receive the request
OAuth endpoint checks the credentials against the database - or translates to a SAML request that is forwarded to the IDP
OAuth endpoint does its own issuing of JWT access tokens via a third party library (if credentials are valid)
Web or Mobile UI sends JWT access token to API
API validates received JWT access token
I looked at mule-oauth2.xsd and found only client credentials and authorization grant type elements. However, looking at the oauth2-provider:config it can be configured as supportedGrantTypes="RESOURCE_OWNER_PASSWORD_CREDENTIALS". If it does support resource owner password credentials, how can I configure an oauth2-client to retrieve a token? I am looking at retrieving a token from the OAuth2 provider using the oauth2:client. Here is an example of what I'm referring to, however, I want to achieve this for password.
<http:request-config name="requestConfigWithOAuth">
<oauth2:client-credentials-grant-type
clientId="${client.id}"
clientSecret="${client.secret}"
tokenManager-ref="tokenManagerConfig">
<oauth2:token-request tokenUrl="${token.url}"/>
</oauth2:client-credentials-grant-type>
</http:request-config>
#Breen-
yes Mule provides Password Grant type. I recently configured for my APIs. In API management console, when you generate a client application , it provides an option for different grant types to select which is out of the box from MULE. you do not have to do any set up for this. It is through API management console on Anypoint platform.
Let me know if any question.
MuleSoft supports the following authentication in Mule 3.8 client apps:
Basic Authentication
NTLM Authentication
Digest Authentication
OAuth2 - Authorization Code
OAuth2 - Client Credentials
See the docs.
I've been trying to learn some server side frameworks these days. I am not an expert of oauth2, but I had use an api with a team. They gave me an access using Resource owner credentials grant, with a grant_type as password, client_id and client_secret. I can log in on multiple browsers at the same time. As I have tried sails js oauth 2 and laravel passport oauth2. I got confused. Both of them using grant_type password revoke my old access_token. Using laravel passport and sails js oauth2 with grant_type password. I can log in only on one device or browser at a time. I'm confused which one is the right thing to do.
Is this how oauth2 really works? you can only log in and use one access token?
If this is the standard way, revoking the old access token. What type of grant type should I use. so my multiple devices can log in at the same time?
The behavior --- whether issuing a new access token invalidates existing access tokens or not --- depends on OAuth 2.0 server implementations. The OAuth 2.0 specification (RFC 6749) does not impose any restrictions on the behavior.
In fact, a certain OAuth 2.0 server implementation provides a feature to enable server administrators to configure the behavior. The following is a screenshot of the description about the configuration item ("Single Access Token Per Subject").
So, what matters is not grant_type but the implementation policy of the OAuth 2.0 server you are using.
After some rudimentary testing I've gotten CAS to work with the Authorization Code Grant. This seems to be the only grant mentioned in the documentation. Does CAS support other grants outlined in the OAuth2.0 draft 2-31 section 4.3? What are the service endpoints?
I'm the creator of the OAuth server support for CAS and so far, it only supports the authorization code grant which matches pretty well with the CAS webflow...