I am aware Ejabberd can act as an Oath2 server and provide the token that other applications can use as a SSO mechanism. My question is can Ejabberd participate in a SSO implementation where the Oauth2 token is supplied by another Oauth server such as KeyCloak? If so is there an example or documentation on how to do so?
ejabberd is a great messaging framework but it is a weak Oauth2 server compared to implementations such as Keycloak and does not meet our requirements in this fashion. I believe there has got to be a way to get ejabberd to participate in SSO in 2020 and I am missing something.
Tim McClure
Related
I have API which is hosted in Azure. It is using Microsoft Identity platform for Authorization. Now we need to integrate APIM Gateway for the API. APIM also provides OAuth Authorization. So my question is should I configure OAuth for my API in APIM since Api would be deployed in APIM or I can continue to use Microsoft Identity platform which is doing its job. So I am looking for benefits for using OAuth from APIM rather than throw Microsoft Identity. In other words what would be difference and pros using OAuth vs Microsoft identity which also relies on OAuth?
Each API should validate a JWT access token on every request, then use the token's scopes and claims to authorize access to resources. This is sometimes called a zero trust architecture.
Another important requirement is to avoid revealing sensitive data in tokens, such as emails, to internet clients. The phantom token pattern has more info on this, and involves the use of an API gateway.
I would favour a solution where there is an API gateway in front of your APIs. This is a hosting best practice and also enables you to perform tasks such as cookie and token translation in the gateway.
APIM is one solution so I would favour that type of option if it improves your API security. There are other Azure options though, so it can be worth clarifying the types of things you want to do in gateways before choosing one. The API Gateway Guides may give you some ideas.
I know that Fiware Identity Management called Keyrock provides an oAuth2.0 mechanism for authentication.
Is this mechanism based on OpenId connect profile of OAUth2.0?
Is there any generic enabler for OpenId connect mechanism integration in a Fiware architecture?
I have thought about deploying keycloak in parallel but it would put extra latency on my system and would recude the throughput.
Is there an all in one solution for OAuth2,Openid connect and XACML mechanism providing by fiware?
Should i extend keyrock with an open-id implementation?
Thanks in advance!!!
I'm new to OAuth 2.0 and OpenIDConnect
I want to ask if is it necessary to implement OAuth 2.0 and OpenIDConnect for our login, register flow of our own created client application (mobile apps and server side app)?
Because I've been searching tutorial to implement login, register flow the best practice right now is using OAuth 2.0 and OpenIDConnect but their implementation is toward to securing our API against other people client application. Is this auth flow is just used to secure another people client application to access our API?
Thank you
OAuth 2.0 is both elegantly simple or extremely complex depending on your understanding of the technology and how to implement authorization.
I'm new to OAuth 2.0 and OpenIDConnect I want to ask if is it
necessary to implement OAuth 2.0 and OpenIDConnect for our login,
register flow of our own created client application (mobile apps and
server side app)?
No, it is not necessary to implement. There are many methods of authentication and authorization. OAuth is just one of the more popular methods.
A simpler and terrible method is to just implement username and passwords for your users. Simpler, in this case, is a relative term as now you need to worry about keeping usernames and passwords stored somewhere securely.
OAuth can be used to secure public access to your website, applications (REST endpoints), and more. OAuth can be used for server to server authorization. In the end, OAuth is just a method of creating a token that is presented to a service. The service verifies the access rights of that token and denies or proceeds with the request.
Authorization and Authentication are domains that require a lot of experience to implement correctly. There are many nuances to consider. That is why so many companies are breached, they do it wrong or implement weak methods. At one company I visited for an audit, I wrote down 10 usernames and passwords because everyone had yellow postit notes on their monitors. Even the best OAuth implementation will have problems with that level of security.
I am making an Application that uses XMPP as its communication protocol, but for better user experience for my application I want the end user to be able to register and login via facebook/google or any OAuth2 provider (eg. github).
Does the XMPP protocol itself support user authentication via OAuth like POP3 or IMAP does. I mean what's the appropriate message format for OAuth2 authentication?
The XMPP protocol itself supports SASL authentication, also later Specs of SASL support OAuth2 and OAuth1.a as seen in rfc7228.
Also XMPP supports other bindings except TCP such as Websocket one (RFC7395) or the slower BOSH. In this case you can use the "traditional" apis for OAuth2, in other words do OAuth2 as would be done on a classic Web-based application ans use the XMPP as message/data transfer.
So the answer to your questions is YES it supports OAuth2 as spec says so.
Since mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that authenticates users against an OpenID Connect Provider. If OpenID Connect Provider supports STS(Security Token Service) does mod_auth_openidc is supported for that.I couldn't find any resources which explains about this.
No, assuming you refer to the WS-Trust STS.
Update: there's a separate module https://github.com/zmartzone/mod_sts that supports various token exchange protocols including WS-Trust.