Does Adobe Experience Manager support OAuth 2.0 as a client? I mean AEM connecting with an external application which plays a role of authorization server and resource provider.
I could not find any examples of such usage - AEM is usually presented as an authorization server and resource provider for other client applications.
AEM provides an number of authorization integrations. Maybe you can switch to SAML, which works pretty good out-of-the-box. I once integrated AEM with Keycloak with good results (but using SAML).
Regarding OAuth most documentation is dominated by AEM as an OAuth provider. They integrated Apache Oltu (which is end-of-life anyway).
But AEM provides an OAuth client as well. But it needs a custom extension for each provider. Out-of-the-box are only implementations for Twitter and Facebook available. But there seems also Github and IMS (Identity Management from Adobe Managed Services) to be available.
Please check also Package Share. But I don't know what is available there. And you probably need support from Adobe, to judge the quality and usefulness of such packages.
If you have to implement your own Provider-Extension, the best starting point I found was here:
https://aemcorner.com/adobe-granite-oauth-authentication-handler/
You are basically free to build whatever you want, as AEM is basically nothing else but a Java application. But you might want to keep in mind, that the standard applications of AEM are delivering rendered HTML from the dispatcher in the end. You want to have as little load on the publishers as possible.
So, when authorisation of resources is a technical- or business concern, you might need to dive deeper into SPAs or at least async loading of resources as JSON.
Related
Our existing customer base is in peoplesoft and we are developing lot of mobile applications. Hence, we would like to use oauth 2.0 for authentication and authorization, but i cannot find any way to integrate the two.
Does PS implement OAuth? If they don't then you'll be out of luck. A quick search indicates they support SAML for SSO (on their web sites). You will probably have to describe a little bit more what you are doing, and why you think OAuth is the way to go.
Note that being mobile doesn't necessarily mean you have to implement OAuth.
This is a very late answer, but as of PeopleTools 8.58, PeopleSoft applications support OAuth2 for REST services. The caveat is that only Oracle IDCS is able to be used as an authorization server. There may be a plan in the future to support other authorization servers.
Cf. https://blogs.oracle.com/peopletools/what-peoplesoft-is-doing-with-oauth2-in-858 and https://support.oracle.com/knowledge/PeopleSoft%20Enterprise/2621182_1.html for more information.
Is there any sample of implementation of OpenID Connect Provider in .NET?
DotNetOpenAuth doesn't seem to support this standard.
Yes, IdentityServer is an openid connect provider. There are lots of samples of relying parties, provider configurations and a resource server api. See here for the examples: https://github.com/IdentityServer/IdentityServer3.Samples/
It seems to currently be the only "certified" open source .NET (C#) implementation. See http://openid.net/developers/libraries/
I would expect Microsoft to release their OP pretty soon, named WAAD - Windows Azure Active Directory Server: http://www.gluu.co/waad-interop
Are you sure you need an OpenID Provider? If you need Relying Party code, I recently saw this quick article: http://www.gluu.co/simple-connect-client
If you really need an OP, perhaps you should consider OX: http://ox.gluu.org
Who really cares what language the OP is written in? What you want is an easy way to administer the thing... and OX provides an excellent management Web UI (oxTrust).
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.
I have been tasked with creating a Web API for our mobile application and future 3rd parties to use in order to access our data, etc.
That alone is simple enough, but then I need to secure it. Initially, after reading about OAuth and doing some research, I decided to go the home grown token based route utilizing best practices found online for security. My prototype worked wonderfully but unfortunately the company wants to use OAuth since it's a recognizable standard and considered marketable to our clients.
Soooo, after banging my head against multiple walls the past few days I am curious if anyone has an implementation using OAuth as a service provider and then an ASP.NET Web API client as consumer.
The workflow envisioned is that the mobile application would hit the API which in turn would expect token(s) issued from our self-hosted OAuth service provider. I've yet to find any comprehensive documentation or examples online about this. So far everything I've seen is very piecemeal and therefore incredibly frustrating trying to implement anything.
Well - there is the OAuth spec of course (since you seem to like to handcraft things ;)) https://www.rfc-editor.org/rfc/rfc6749 and the corresponding threat model - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-threatmodel-08
Our OAuth2 authZ server / sec library has an implementation as well - I compiled some docs here: https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki
I'm mildly familiar with DotNetOpenAuth and OAuth in general, but in terms of Web API development, what is the best way to lock down a web service in terms of the following criteria:
Ease of implementation
Interoperability/compatibility with end-user facing platforms (iOS, Android, Win Phone, Flex...)
Whether or not it is clearly standards-based (like OAuth for example)
Thanks!
please take a look here: OAuth 2.0 in Web API
Inside the WebApiContrib project there are also Basic Authentication samples which is straight forward but it should not be used without SSL.
The DotNetOpenAuth .zip download includes a sample WCF service that is protected by OAuth.
There are a couple of wcf web api implementation to handle authentication on internet. I have done one as well # http://misaxionsoftware.wordpress.com/2011/07/29/secure-restful-web-service-by-wcf-web-api-no-https-seriously/
Note: code is based on Preview 3, some class name has changed in Preview 5.
The idea of implementation is ensure secured communication without SSL.
It's easy to construct. The function is transparent to your service because all the work is done in message handler. You don't bother to call the authenticate function in your service method.
Compatible with end-point where RSA encryption is supported.
Standards-based, hmm... Standards varies from case to case...