I'm currently implementing Keycloak in my application and encounter a problem - I can not find any documentation except of keycloak.org Guides, which are not enough for me.
I've also tried searching through OpenID Connect specifications, nothing there.
What I want is a single resource with clear and handy docs for each HTTP endpoint of Keycloak (not for Keycloak-Admin), e. g. for /login endpoint and all possible use cases of that endpoint. So I can understand, how to use all these endpoints.
Where can I found this? I've spent several hours only googling for tiny bits of information and this seems unacceptable for me.
Keycloak is an OpenID connect implementations, OIDC in its turn is a spec built on top of OAuth2 framework, so i suggest you to read following resources (in specified order):
OAuth2 Spec
OIDC Core Spec (Note sections like "[Authorization | Token | UserInfo] endpoint")
Keycloak OIDC docs
I would also suggest you to read other OIDC Specs from https://openid.net/connect/ to get full picture
Also note that for example /login is not an endpoint from OIDC spec, its just a detail of Keycloak implementation.
Related
I am creating new product. for that I have to use available security features. should I use Oauth2 or Json web token? which is better and in which situation these should be used?
I think you may find your answer in using org.apache.oltu.oauth2.
https://www.programcreek.com/java-api-examples/?api=org.apache.oltu.oauth2.client.request.OAuthClientRequest.AuthenticationRequestBuilder
You can see an implementation for oauth and openID here oauth server and resource server
Just to explain what they are,
oauth server creates the tokens
resource server uses that token and processes it to give you the requested data
You can also go through the following docs to understand what they mean and how to implement them,
sample implementation in java , oracle tutorial on the concept of tokens
If you want to do google API auth then you can go through this
I also found this stackoverflow link which is sort of similar question and has shared few of similar links. You should check that out as well.
I am building my own API in .Net Core 2.2 for fun and to learn more. I am at the point I want to secure it with JWT tokens. I have built my own authentication and validation with JWT to understand what's going on. But I thought I would use some of the already established frameworks for this instead of inventing the wheel again. I was thinking of Identity server 4 and OAuth2. So my question is, does anybody have any good resources, guides or tutorials that cover both the Identity server and OAuth2 and how the work together.
I have found this article and I searched PluralSight and found some but nothing that covers both technologies. I thought I would ask the community here before I dive in.
OAuth2 and Identity Servery 4 do not work together.
What OAuth2 is, is a specification. I was at a point you are and you have to get it through your head that OAuth2 is an idea/blueprint/schematic/plan/specification/framework which just describes how to make authentication with JWT possible. If you want to understand the idea of OAuth2 you got to read the spec there is no easy way about just read it.
Part of IdentityServer4 takes the OAuth2 spec and abstracts it into an easy to use API that integrates with the dotnet core framework. Saying 'part' because IdentityServer4 provides so much more than just an implementation of OAuth2. To learn IdentityServer4 read the docs.
Furthermore you can read the oidc spec. This is the spec for authenticating the client with JWT.
I'd also recommend watching this video, where Brock Allen gives a tour of IdentityServer4.
Here is a guide on how to stand up a simple OAuth2 server using IdentityServer.
https://identityserver.github.io/Documentation/docsv2/overview/simplestOAuth.html
They also released all the source for the example here:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Simplest%20OAuth2%20Walkthrough
The IdentityServer online documentation is extensive and is also a good reference and resource as you move through setup.
http://docs.identityserver.io/en/latest/endpoints/authorize.html
Good luck!
I'm building a web app which will have an api and an authorization service using DotNetOpenAuth. I found this example on how you can authorize using a service provider that already exists but I would like an example on how to implement a service provider that can create tokens, persist them and do evaluation. Is there any great articles or sample providers that I can download?
Update
DotNetOpenAuth has moved on since this was initially posted. I strongly suggest you follow Ashish's advise and take a look at the samples. It contains code to write Authorization Servers, Resource Servers and Clients for all the major flows.
If you wanted a pre built solution, with opensource code
Thinktecture Identity Server is an Open Source .NET security token service. It supports a number of endpoints for authentication including OAuth 2.0 Bearer tokens.
Update this Thinktecture Identity Server is now on version 2 and supports these OAuth 2.0 flows
Resource Owner Password Credential Flow
Implict Flow & JavaScript
Authorization Code Flow
again take a look at the code to see how it was all done and there are samples here to show how to plumb it in.
I hope this helps - these library's and examples have hugely helped us over the past few months.
Update
There is also another example warning, it looks dated of a simple OAuth provider for MVC here Sample code here
There are complete working example for DotNetOpenAuth can be found here - https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples
I tried a number of times with DNOA....had to give up, but documented my findings (used Thinktecture in the end)...http://tb-it.blogspot.co.nz/2015/06/oauth-20-frameworks-and-platforms.html
I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api
I've seen this Two legged OAuth using DotNetOpenAuth but it doesn't provide any details on how to remove one of the legs.
I am finding the code quite hard get my head around (using DotNetOpenAuth 4.0). Can anyone give me any pointers on how to modify the samples to do a two-legged auth?
From the service provider, it is a simple matter of authorizing the request token immediately before before returning what normally is an unauthorized request token. Since the service provider already has to provide code to generate and store request tokens, this should be straightforward.
From the consumer, it's simply that you skip the redirect step. There's a sample of this in the OAuthConsumer samples' GoogleApps2Legged.aspx code-behind.
Take a look at this post, it explains how to implement a 2 Legged OAuth using DotNetOpenAuth 4 with a Google Apps consumer key + secret.
Google Calendar V3 2 Legged authentication fails
Hope it will helps you :)