We have
KeyCloak (OpenID Connect)
1x Rich client (with keycloak java adapter)
1x WebClient SPA (with keycloak javascript adapter)
Both applications are public and in the same realm, but have different Client IDs.
Ве would like to implement SSO (Single Sign On) consider the following scenario:
The user make login with user/password in rich client and the rich client receives JWT (AccessToken, IdToken adn RefreshToken).
Now user from rich calls webclient (with a deep link) and it opens a web browser. Because the webclient does not have yet access token it redirect users to keycloak (OpenID Connect/OAuth 2.0) login page.
What would be the correct way to implement SSO so that webclient is authenticated automatically with the credentionals from the rich cleint?
We do not have Username/Password after login any more, only the Tokens.
I don't see the problem here. When user from rich calls webclient, and it opens web browser, webclient redirects to keycloak, but the user is already logged in. User does not have to type username and password again. Keycloak redirects to your SPA and you get your tokens.
Related
I am migrating from spring security oauth to keycloak. My current system supports login with username/password, mobile number/password and moobile number/otp.
Keycloak allows me login and generate token using username/password and mobile number/password using custom provider SPI implementation.
I want to allow my users to login with OTP. In my current implementation I am using grant_type. If grant_type is 'password' we check for username and password. If grant_type is otp, We send an otp to mobile number and secret against otp to frontend for validation. We then receive otp with secret and if it is valid, token is generated for user.
Keycloak is allowing to create auth for browser flow but not for direct grant or rest api. Is there any possible solution for this using keycloak?
We have an MVC application (<myapp.somedomain.com>) .net 4.5.2 (OWIN/ADAL) that uses ADFS2016 for AuthN/AuthZ via OIDC/OAuth2. Users' credentials and attributes are stored in AD LDS. A client (X) requested to authenticate in the application via their IdP over SAML2. Is this possible WITHOUT making changes to the application?
The flow I am looking for; for this client the app’s URL would be (<myapp.somedomain.com/?client=x>). Our ADFS would recognize and redirect the client to their IdP where they would authenticate and than they would be send back to our ADFS along with some predefined claims. Our ADFS would map these claims to an Id Token / Access Token for our application to use. Am I dreaming or is this indeed feasible?
Any links to articles / documentation on how this could be achieved would be most helpful.
As #Wiktor suggests, you could add a SAML client-side stack to your app.
The other way is to federate ADFS with the SAML IDP.
When the user is redirected to ADFS, they use Home Realm Discovery to either redirect to the SAML IDP or authenticate on ADFS directly.
ADFS should handle the token conversions but you may have to fiddle around with the claims rules.
I want to create an ADFS session in the browser using APIs only.
I don't want to redirect users to ADFS login page. I collect user's AD credentials and using those credentials I want to create ADFS as well as my site's session in the browser. Currently, I can create my site's session but not ADFS's session.
For this, I am using OIDC's Password Grant flow which works fine as I am getting access_token, id_token and refresh_token but it does not create ADFS's session in the browser.
I am using other federated applications with the same ADFS, so ADFS's session in the browser is critical for me.
Creating User session using APIs is supported in OneLogin (https://developers.onelogin.com/api-docs/1/login-page/login-user-via-api) and I want a similar approach for ADFS.
I am also open to any other approach which can help me achieve this goal.
If anybody can help me with it, it will be a BIG RELIEF.
ADFS Version: 4.0
OIDC Flow: Resource Owner Password Credentials
ADFS (and Microsoft Identity products in general) do not have authentication API.
You can do this via WCF (WS-Fed active profile) but this by definition is not browser-based.
Here is my Problem statement:
I want to do OAuth authentication with external Authorization Server(say External Identity Provider) But user should provide credentials on my custom login page. I know when we do Oauth user must be redirected to Identity provider to authenticate and complete OAuth dance. But in my case, I want user to provide credentials on my login screen. No where in the process, user should see the identity provider login page. Any thoughts?
If the user enters his credentials on your login page, how will your app verify these creds with the identity server?
The idea of oAuth is that you app (the client app) will not be exposed to the user's creds.
Note: If there is a tight relationship between the client app and the identity-provider (e.g. Facebook and the Facebook app for mobile) so you can perform this with Resource Owner Password Credentials grant type.
I have implemented an OAuth2 register workflow (in Java) according to rfc6749
I'm using GitLab as OAuth2 Provider.
After the user granted access to my application for his account, I get an OAuth Token (along with refresh token and other stuff), I am able to make API requests on behalf of the user, so this is working fine.
This way I can get the users e-mail adress which I use to create an internal user.
My questions are:
Is it practice to issue a token that is generated by my application for the user (along with the OAuthToken) or should I just use the token that has been issued by the OAauth Provider? (My App also has local auth with bearer tokens). This token will be used for further API - CLIENT communication (stored in Angular2 local storage as bearer)
How to do login only? When a OAuth User accesses my web service, how do I know that this user is a OAuth User and which OAuth Token belongs to him? How can the user login without providing e-mail or password? (The user has no password) I guess I have to redirect him to the OAuth Provider again, but I don't want my user to grant access everytime he logs in.
Answer 1:
Though you can use the token provided by OAuth provider, you SHOULD NOT use it considering the risk that may arise exposing it to the public.
Instead you should securely save the token provided by OAuth provider into the database and use another token for authentication of further api calls. (you could use JWT)
Answer 2:
There are two types of systems
Which always uses OAuth provider for identifying user. (Ex. Tinder)
Which provides both OAuth Login and Traditional login/signup. (Ex. Quora, Instagram)
If you want your application to follow 2nd approach, you should ask the user to create password for the first time when the user logs in using OAuth provider.
This will allow the user to log into your application by both methods, traditional as well as OAuth
To identify users of your application, you should either use HTTP session or issue your own tokens. Do not use tokens generated by the OAuth2 provider - they are meant to be used just by your backend (in role of an OAuth2 client).
To use an external authentication in your application, you probably want to use OpenID Connect, not a bare OAuth2. OpenID Connect extends OAuth2 and it's meant for authentication instead of the rights delegation. Then you use an implicit flow (instead of authentication code grant) with scope=openid, your frontend app (HTML+JavaScript) gets an ID token signed by the OAuth2 provider. After successful signature verification, your backend can trust that the client is the one described in the ID token (in its "sub" field). Then you can either keep using the ID token or generate your own token.