I have an application consisting of (simplified) 3 parts:
an Security-Token-Service (handling OAuth2 and OpendId-Connect) with its own seperated database (actually it's Identity Server 4 with ASP.NET Core Identity)
an API (with a seperated database)
and a SPA communicating with the API
Now the problem is that the database of the STS holds the user data and in the API-DB there is also a table user-accounts with the work-load-data for each user.
Currently I create the API-DB user-account on the first login of the user. Which works.
I am just wondering if there is a protocol (extension) defining a way to sync created/deleted users between an STS and other server applications.
Might be worth having a read of this and evaluating whether it fits your use-case:
https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
Related
Basically, I have 2 sets of projects, 1 contains the Web API Services and the other is the Web Portal which extracts data from the database through the API. However, following the set-up of ASP.Net Identity, the login process is all client-side. Is there any way where I can shift the Identity login to be performed through the API rather than having it directly connecting to my database?
I've tried installing Identity onto the API itself, but I'm also unclear how it is able to authenticate the user even if I pass the data to it.
Our business use case is that we have four to five services deployed as java spring web applications. These services have user/customers derived from either registration process or some existing running applications exposed as rest services. We intend to make a single portal which provides users to be able to use a single account / credential to log into many services directly.
With internal approach we assume having individual customer table for each services. And a common Login table for all services whose id is tagged/mapped as foreign key in individual customer table of each services.
Also some services can be accessed without registration , in that case we fetch the data via customers account id from some third rest service and store it in individual services/application customer table and in common Login Table if not already present.
For services which require registration we store the customer credentials in login table if not present; and also in service/applications customer table with a common login table mapping.
But we need a secure portal with session tracking , session timeout just like Single Sign On
With some research we have narrowed the approach to implement the above scenario with either SSO or Oauth2 which her is applicable.
Refer the link (https://stormpath.com/blog/oauth-is-not-sso ) for more insight.
Can someone suggest which approach SSO or Oauth2 is applicable for our business usecase ?
if SSO , which is the best opensource simple SSO for java Spring applications?
if OAuth2 , what will act as Client application, Authorization Server , Resource Owner and Resource Server? As we have services(Java applications) as client application hosted in Common Application/Portal? will the common login table act as resource owner ?
You will likely want SpingSAML. If the applications are hosted on separate paths, like example.org/app1 and example.org/app2 then you could use a Shibboleth Service Provider as the SAML SP for the applications.
You'll still need an Identity Provider of some sort, which SpingSAML can't do, but there are innumerable IdP implementations out there: i.e. Shibboleth Identity Provider, ADFS, or a commercial IdP like Okta, OneLogin, Ping, etc.
Looking for a bit of advice regarding best practice regarding multiple user stores.
Currently I have Identity Server 3 set up using a factory method to connect to an Asp.Net Identity V2 user store.
I have two MVC Relying Party applications, both using OWIN to pass un-authenticated requests to the Identity Server.
Within Identity Server, both RP client applications are set up using Hybrid flow.
Now my question:
I want to have the Identity Server use mutiple user stores (in my case, we have users authenticating via our Identity V2 Store and also via ADFS)
I'm not sure how to detect or tell the which kind of user is connecting to the RP client application, and I'm not sure how to pass this information to Identity Server so that it can make a decision on which user store to use.
Any help greatly appreciated.
Context:
We have a monster ASP.NET MVC 5/Framework 4.5 application that is planned to be divided in several others, so each new application will deal with a specific business domain instead of many. All those applications together will provide the same functionalities and services that are provided today by the existing single application.
We plan to use our own OAuth server to provide authentication and authorization for all the new smaller applications, so the very same users that use the current large application will have the same rights in the same functionality.
Currently we use Windows Authentication mixed with a secondary custom structure to establish what a certain user can do. We have our own role provider to generate the roles assigned to the users. When a certain controller action asks for the list of roles af a certain user, our role provider search in our custom structure and provide those roles, following specific business rules that make sense in our application.
We understand that the same rules that establish the set of the roles assigned to a certain user will be moved to our OAuth server.
We understand that the role-based security will be replaced by a claim-based security.
We understand that we will stop testing for roles and start testing for claims.
We understand that the first step of this refactoring should be add external authentication in our current large application and then start to break it into parts so we will have our new ecosystem.
Question:
How to change my current large application so it authenticate and authorize requests by using the new OAuth server instead by itself?
Note:
I´ve read a lot of blog posts but so far I couldn´t find a simple code sample that shows me what to do to instruct my application to go for an authentication/authorization token in my OAuth server and use it to grant or deny the access to a given controller action.
I want to seed some user profile data in an ASP.NET MVC 4 application so that I can run some (browser) automated UI tests (for secured areas of the application).
I don't want to store any passwords so I'm only using external OAuth/OpenID authentication providers, e.g. Google.
Is there any reason not to include my Google OpenID URL in a data seed method (which will be committed to a public GitHub repository)? Should the ProviderUserId field (in the webpages_OAuthMembership table by default) be kept private/secret?
Are there any better approaches to UI testing a public MVC 4 internet application that only uses external authentication providers?