I have a project that needs to implement Oauth2 (users need to be able to login with Google or iCloud), and I decided to use ORY hydra so I don't have to write my own Oauth2 implementation.
I tried figuring ORY Hydra out on my own, but I failed. I know how Oauth2 works in abstract terms, but I have no idea how to implement Oauth2 with it in practice. SDKs have no documentation, no matter what language they are for. I know that Hydra has an HTTP API, so language SDKs don't really matter, but I was hoping to find some guidance in their documentation; as I wrote, they have none. And the main documentation's "5 minute tutorial" just provides some docker containers without any code or logic behind them, just some docker-compose commands.
What is a good educational resouce that would show how to implement Oauth2 with ORY Hydra? At this point I am ready to use any language at all, or dive straight into the Oauth2 standard.
You need Ory Hydra if you want to become a OAuth2 provider yourself.
What you are looking for is Ory Kratos, a user management system. You can also implement "Login with..." for multiple providers.
Check out this article for more info if you need OAuth2:
The "5 minute tutorial" does not really touch any underlying concepts, but there are multiple links to the docs that explain this. Here is a good starting point:
https://www.ory.sh/hydra/docs/concepts/oauth2
For "social sign-in" you probably need Kratos: https://www.ory.sh/kratos/docs/concepts/credentials/openid-connect-oidc-oauth2/
Related
I am building my own API in .Net Core 2.2 for fun and to learn more. I am at the point I want to secure it with JWT tokens. I have built my own authentication and validation with JWT to understand what's going on. But I thought I would use some of the already established frameworks for this instead of inventing the wheel again. I was thinking of Identity server 4 and OAuth2. So my question is, does anybody have any good resources, guides or tutorials that cover both the Identity server and OAuth2 and how the work together.
I have found this article and I searched PluralSight and found some but nothing that covers both technologies. I thought I would ask the community here before I dive in.
OAuth2 and Identity Servery 4 do not work together.
What OAuth2 is, is a specification. I was at a point you are and you have to get it through your head that OAuth2 is an idea/blueprint/schematic/plan/specification/framework which just describes how to make authentication with JWT possible. If you want to understand the idea of OAuth2 you got to read the spec there is no easy way about just read it.
Part of IdentityServer4 takes the OAuth2 spec and abstracts it into an easy to use API that integrates with the dotnet core framework. Saying 'part' because IdentityServer4 provides so much more than just an implementation of OAuth2. To learn IdentityServer4 read the docs.
Furthermore you can read the oidc spec. This is the spec for authenticating the client with JWT.
I'd also recommend watching this video, where Brock Allen gives a tour of IdentityServer4.
Here is a guide on how to stand up a simple OAuth2 server using IdentityServer.
https://identityserver.github.io/Documentation/docsv2/overview/simplestOAuth.html
They also released all the source for the example here:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Simplest%20OAuth2%20Walkthrough
The IdentityServer online documentation is extensive and is also a good reference and resource as you move through setup.
http://docs.identityserver.io/en/latest/endpoints/authorize.html
Good luck!
Due to requirement changes we need to add a node server to our already existing system. We will be using sails.js for the realtime communication part of the app and redis store for session management. But the confusion now is what is the best way to authenticate the client app/user on both servers with one login form.
Any help will be much appreciated.
Unless you have specific limitations or widhes, this sounds like standard requirement for SSO (Single Sign-On) implementation. OAuth is wide-spread standard in this area.
Ruby have implementations for this, see this repository for example
OAuth2 A Ruby wrapper for the OAuth 2.0 specification.
As for reading materials, you can check this article:
Single Sign On (SSO) for Multiple Applications with Devise, OmniAuth
and Custom OAuth2 Implementation in Rails
This tutorial may also help.
Then, you can implement OAuth in your node js server, and other services when needed.
Or detail your question and specific requirements or limits for other options. Meanwhile, you can check this SO question on other non-SSO options.
I have an application that uses personal access token to access to GET the list of items. I want to switch to using OAuth, the application will use ITEMS_READ only.
My application is a daemon running on an instance of secure Ubuntu server dedicated to this application(s). Regarding the "application server" is there anything that square recommends - what are typical best practices with the "application server"?
Thank you
The API documentation is fairly extensive, and includes a helpful section about OAuth. A few common pitfalls I've noticed with OAuth implementations in the past lead me to call these things out:
If you are only building a one-off integration for your own use, it is probably not worth using OAuth.
Make sure you understand how OAuth works. If you find yourself asking for users' client secrets or personal access tokens, or anything else that requires them to open the app management dashboard at connect.squareup.com, you need to rethink your implementation. Only you, the developer, should need to understand access tokens and other API credentials.
You can generally ask for more OAuth scopes than the bare minimum that you need. I'd recommend getting MERCHANT_PROFILE_READ as well. That can be useful to manage accounts, and so you can hit /v1/me to get various IDs you'll need.
The Square OAuth access tokens expire as described here. They last for thirty days, so this can tend to creep up on developers who aren't aware of it. You will need to use a scheduled task to renew access tokens that are about to expire and purge your old tokens after doing so. Something as simple as a cronjob should be fine.
In terms of the technology stack you use, that's entirely up to you. The Square Connect team is happy to help and provide recommendations when we can.
We are running two restful apis, one with http and the other is with udp.
They are running on premise infrastructure and within next few release, we'd need run them as google container once we dockenize them
Before we put the service up in cloud and all that, we need to implement oauth!
My question is that where to start and how we should approach implementing oauth 2 considering the road map I described?
Truly appreciate any suggestions.
It kind of depends on what you want to use OAuth2 for.
One option is toThere are OAuth2 implementations for most languages (e.g. https://cwiki.apache.org/confluence/display/OLTU/Index)
This allows you to keep your own login/password system.
If you'd rather delegate the auth and identity to a provider like Google, then you just need to implement the OAuth2 dance to get a user's identity from Google, see https://developers.google.com/accounts/docs/OpenIDConnect for more details.
(and when it comes time to use container engine, visit us on IRC #google-containers if you have questions about containers and Google!)
I see a similar question for Ubuntu, but I'm interested in hosting my own OpenID provider through my Rails-based site that already has an identity and authentication system in place.
Note that I'm not looking for the delegate method to use the site as an OpenID.
What's the best way to do this properly?
This "No Shit Guide To Supporting OpenID In Your Applications"
seems to be a step-by-step tutorial for what you want to do.
Railscasts episode 68 OpenID authentication describes how to do exactly this. It's about a year old, so you may have to do some stuff differently. I'd also strongly for either an updated or newer OpenID plugin (the link for the one in the video is labeled "outdated").
Err, wait, that is to support OpenID authentication in a Rails application you are writing, not to have run an OpenID endpoint in rails.. Here is a guide to implimenting an OpenID server/endpoint in Rails pretty-much form scratch.. gem install openid-server might be easier, but you'll learn more implementing it yourself, and the code is pretty simple.
This reminds me that the overview docs for ruby-openid server are still missing. But you can see the example, and until the docs are ported over, see the docs for the python implementation which follows the same object model.