I have an Hydra SSO Server, an OIDC Provider and a Resource Server Website.
When a user browses a protected page on the Resource Server Website, if no authentication info can be found, a guard will redirect the user to Hydra SSO Server and a authorization-code oauth2 flow will start. Either it will automatically log the user if Hydra SSO Server session can be found, either it will redirect the user back to the login page.
When a user browses a public page on the Resource Server Website, the guard does not redirect the user to Hydra SSO Server. In this case we don't know if the user is already logged (Hydra SSO Server session is active).
As I would like to put user info on the navbar no matter which page he visits, what is the best approach to check user session on Hydra SSO Server ?
I did not find any endpoint for validating the user hydra session without redirection.
If I need to start with an oauth2 redirect against hydra when the website loads, is this a correct approach ?
Related
We have an ASP.NET MVC application that uses Okta for user authentication.
When an unauthenticated user browses to our app, they are redirected to Okta to log in and are then redirected back to the application, authenticated. When they click "Logout" within the application, they are signed out of the application and signed out of Okta.
The issue is when we click "Logout" from the Okta dashboard. When a user clicks "Logout" from the Okta dashboard, they are signed out of Okta but not signed out of our application. When the user logs in with different credentials in Okta and opens the application, HttpContext.User.Identity still contains the previous user information.
Is it possible to set things up such that when a user clicks "Logout" within the Okta dashboard they are also logged out of the ASP.NET application? What's the best way to accomplish this?
This is the expected behavior, let me explain.
Let's assume a user is not logged into Okta OR your application. When a user visits your application and clicks "Log In", they are then redirected to Okta to authenticate. When they authenticate to Okta, a new session cookie is created so the user's identity is remembered on the Okta domain (for example, blah.okta.com).
Then the user is redirected BACK to your application (yourwebsite.com) where they will have an access token and a NEW session cookie (on the yourwebsite.com domain) which will keep them logged in there.
So at this point, there are two separate sessions that are active:
One on your domain (yourwebsite.com)
One on Okta's domain (blah.okta.com)
When a user logs out of Okta's dashboard, this means that their token is revoked and the session cookie is deleted (from the Okta blah.okta.com domain). BUT, there is no way for Okta to delete the session cookie from YOUR website (yourwebsite.com).
Therefore, when your user does something on your website (yourwebsite.com), the user's browser will STILL send the session cookie to your backend that contains an Okta access token.
And... Depending on how your web application is configured, it will do one of two things to verify that token:
It can either validate the token locally using a JSON web token library (which is the default behavior), in which case the token is still valid, so the user is considered "authenticated" and will continue to be able doing things even though their token has been revoked.
It can validate the token against Okta's authorization server (this is called token introspection), which is a bit slower as it requires an HTTP request to Okta. If this is done, then the user will indeed be recognized as logged out and their session will be destroyed.
So basically, to get the behavior you're talking about, you need to modify the way your web application is validating the user's tokens. You need to switch from using LOCAL VALIDATION to TOKEN INTROSPECTION.
Unfortunately, we don't yet have the option to use token introspection in our ASP.NET library. The author of the library has just added that to her backlog =)
I have a question relating to different clients connecting to an Oauth2 service (Spring boot Oauth2 auth server) and how can I keep different clients already logged in when using the same browser.
Let's imagine this:
client1 (angularjs web app):
Clicks on login button
User is redirected to Auth APP
User logs into Auth APP
Allow the client1
User is redirected to client1 with valid token
client2 (magento web app):
Is it possible to be "logged in" here (have a valid token too) without going to the Auth APP?
if not I assume:
Clicks on login button
User is redirected to Auth APP
User is already logged in the Auth APP, goes directly to authorization screen
User allows the client
Auth APP redirects to client1
So, my question is, is it possible to get rid of the Auth APP redirection in client2 if I have a valid token in client1?
Maybe, JWT tokens with session id or something like that?
Thanks!!
Can someone shed some light on the use case for me. We wave users who will be signing in to third party client applications. Using OAUTH2 framework, the client app will redirect to our site to authenticate. From my undestanding, the Authorization server will return a access token and an id_token (OpenID Connect).
1) If the user is authenticated with us and is redirected to the client application, if they leave the client application and go back into the client application hours later, do they still have go through the whole redirect to our /authorization endpoint to re-authenticate?
2) If the user is authenticated with us and is redirected to the client application, if they leave the client application and go to our site, do they have to login again to authenticate?
Basically, does OpenID Connect over OAUTH2 allow a user to sign in once and then not have to sign in again after subsequent visit to the third party app or our app?
Thanks.
It depends on two things:
a. if the client application maintains a session and that session has not expired yet, the user won't be redirected at all
b. in case the client session timed out, the user will be redirected but if the IDP still has an authentication session running, the user will not have to authenticate and will be sent back immediately to the client app with a new token.
It depends on the IDP session existence/timeout again
Essentially an Identity Provider authenticates users and decides how to do that. It can prompt for credentials but can also create and maintain authentication sessions for the user for (typically) a limited period of time which allows for true Single Sign On (SSO).
Also note that this behaviour does not depend on the exact protocol at hand (OpenID Connect, OAuth or even SAML): it would work the same for any protocol that redirects a user to an Identity Provider in a federated SSO system.
In OpenID Connect, the session at RP typically starts when the RP validates End-User's ID Token. ID token consists of expiration time. So if the user just leaves (not logged out) and the id_token is expired when he access the RP, then the end-user needs to re-authenticate.
If the end-user logged out from the relying party and the OpenID provider supported logout mechanisms such as OIDC session management, OIDC front-channel logout or OIDC back-channel logout, then all RPs sharing the same browser session will be logged out (SLO). Then the end-user needs to login to the OP again to access the RPs.
After spending good time in Spring security with SAML for ADFs login , I am became fan of framework.
I was able to integrate my web application with ADFS for login. But I am missing few requirement here :
1) When we select IDP ADFS login url on my web application login page ,it is moving out of my web application to ADFS login. Which is not desire behavior for business.
2) Also faced problem that , as on successful login user object sent back to my web application from ADFS but in case of login failure it is staying on ADFS login page with login error message.
With this requirement can you please guide me for below requirements.
1) I want to use my own login page (instead of ADFS login redirect) to capture the username and password
2) Pass on those credentials to ADFS server for authentication
3) User authentication flow:
3.a Once user is authenticated, then redirect user to success page
3.b If authentication failed then redirect user to error page. ( Getting failure response from ADFS)
The core idea of SAML-based single sign-of is to decouple system which authenticates users (IDP - identity provider) from the systems which receive information about user's identity without performing the authentication (SP - service providers).
This model implies that SP does not have access to user's credentials, and therefore cannot contain a traditional login screen with username/password.
You can find more details e.g. in wiki of SAML 2.0 Web SSO
Yes, We can do this if IDP provides the authentication API. Okta IDP provides such API.
Check this:okta authentication api
How does OpenID Connect Authorization Code Flow work? Let's say a user made a request to app.example.com didn't have an access token or had an access token that is invalid. When the app redirected the user to authorization server: auth.example.com/authorize?response_type=code&client_id=CLIENT_ID&scope=openid&state=STATE&nonce=NONCE
Does the endpoint above have the signin screen? Or does signin happen in a separate endpoint (something like auth.example.com/signin)?
When the app redirects the user agent to the Authorization Server, the Authentication Server is supposed to authenticate the user. It can do that by presenting a login screen directly or by deferring to a separate authentication mechanism and/or server and/or screen. The authentication of the user is not prescribed by OAuth and is just something that is specific to the Authorization Server implementation. Both options are possible.