I know that Fiware Identity Management called Keyrock provides an oAuth2.0 mechanism for authentication.
Is this mechanism based on OpenId connect profile of OAUth2.0?
Is there any generic enabler for OpenId connect mechanism integration in a Fiware architecture?
I have thought about deploying keycloak in parallel but it would put extra latency on my system and would recude the throughput.
Is there an all in one solution for OAuth2,Openid connect and XACML mechanism providing by fiware?
Should i extend keyrock with an open-id implementation?
Thanks in advance!!!
Related
I have API which is hosted in Azure. It is using Microsoft Identity platform for Authorization. Now we need to integrate APIM Gateway for the API. APIM also provides OAuth Authorization. So my question is should I configure OAuth for my API in APIM since Api would be deployed in APIM or I can continue to use Microsoft Identity platform which is doing its job. So I am looking for benefits for using OAuth from APIM rather than throw Microsoft Identity. In other words what would be difference and pros using OAuth vs Microsoft identity which also relies on OAuth?
Each API should validate a JWT access token on every request, then use the token's scopes and claims to authorize access to resources. This is sometimes called a zero trust architecture.
Another important requirement is to avoid revealing sensitive data in tokens, such as emails, to internet clients. The phantom token pattern has more info on this, and involves the use of an API gateway.
I would favour a solution where there is an API gateway in front of your APIs. This is a hosting best practice and also enables you to perform tasks such as cookie and token translation in the gateway.
APIM is one solution so I would favour that type of option if it improves your API security. There are other Azure options though, so it can be worth clarifying the types of things you want to do in gateways before choosing one. The API Gateway Guides may give you some ideas.
I am aware Ejabberd can act as an Oath2 server and provide the token that other applications can use as a SSO mechanism. My question is can Ejabberd participate in a SSO implementation where the Oauth2 token is supplied by another Oauth server such as KeyCloak? If so is there an example or documentation on how to do so?
ejabberd is a great messaging framework but it is a weak Oauth2 server compared to implementations such as Keycloak and does not meet our requirements in this fashion. I believe there has got to be a way to get ejabberd to participate in SSO in 2020 and I am missing something.
Tim McClure
I am trying to understand differences between Federated Authentication and Delegated Authentication, But I am getting more and more confused.
Do we use SAML protocol ALWAYS for Federated Authentication? or What?
Is it possible to use OpenID Connect (or OAuth) for both authentication methods?
Do we need to have Trusted connection between two domains to be able to have Delegated or Federated authentication?
Do we always use SAML for Partners and OpenID Connect (or OAuth) for Customers?
I will be grateful if somebody explains different steps for these two authentication methods between two domains (Partners and Enterprise).
A difference between the two methods are:
A delegated solution means that one site is simply outsourcing its
authentication needs to another pre-selected site. If your site uses
Facebook Connect, you are delegating your authentication facilities to
Facebook. Visitors to your site cannot use any other accounts, only
accounts from the vendors you have pre-selected.
A federated solution means that visitors to your site can use any
account they have, as long as it is compatible. It makes no difference
to the site which account is being used, as long as it can
interoperate. At its core, OpenID is a federated solution because its
most important feature is the ability to use any OpenID account with
any OpenID-enabled service.
Source
Now to your questions:
Not only SAML but OpenId Connect, OAtuh2 or even others protocols can be used as well.
Yes. Just note that delegated solution is less secure.
What is the difference between OAuth 2.0 and Auth0? Which one should I use to develop the authentication system?
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
Auth0 is an organisation, who manages Universal Identity Platform for web, mobile and IoT can handle any of them — B2C, B2B, B2E, or a combination.
Source
In case if you cannot understand any of above,
OAuth 2 - is a standard or protocol to implement authorization for any kind of software (windows, mobile or web)
Auth0 - is a software product (cloud and on-prem), that implements the OAuth2 protocol. You can use Auth0 to simplify your
authentication and authorization requirements.
We mainly use auth 2.0 for session based security management at server side. OAuth 2.0 is an authorisation framework that enables a third-party application to obtain limited access to resources the end-user owns. It is about resource access and sharing. While https://auth0.com is a company that sells an identity management platform for authentication related task. So with the help of auth0.com services an app developer don't need to write code for login/registration/social login and its not needed to think about its security. Complete user management task manages by auth0 organisation.
What Identity Provider are you aiming to use?
Auth0, identityserver, ADFS 4.0 etc. all support the OAuth stack.
Using implicit OAuth flow you can connect your Angular application to any of these.
Since mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that authenticates users against an OpenID Connect Provider. If OpenID Connect Provider supports STS(Security Token Service) does mod_auth_openidc is supported for that.I couldn't find any resources which explains about this.
No, assuming you refer to the WS-Trust STS.
Update: there's a separate module https://github.com/zmartzone/mod_sts that supports various token exchange protocols including WS-Trust.