I have two services app1 and app2.
App1 use devise_jwt for auth.
App2 don't have web-ui, but provide only some api-data.
Is there a way to setup sso from app1 to app2?
Some examples to clear what i'm talking about:
I auth in app1, go to page where app2 data is shown (app1.com/app2data), ajax-request to app2.com/data is fired to retrieve JSON, app2 check JWT and give me it's JSON-data
I go to app2.com/data, it redirects me to app1/login, authenticate and redirect to app2.com/data
Or maybe there is more simple ways to secure data in app2 service?
Related
I am trying to write an application that:
In a browser, authenticates a user with a Google account.
Calls a backend service.
Backend access user's drive (and some other things) and then returns JSON.
Frontend: copied some example from the web, can authenticate without issues.
Backend: Node.js/Passport.js. Copied the code from an example, can authenticate.
But how do I authenticate a user in the browser and then do an API call so the API may access the Google Drive? What is the expected flow?
A. Web app authenticates the users then passes id_token to the server?
Can't find how to implement this on a server...
or:
B. Server sends app to, say, /auth/google/ on the same server, then app gets a token from server?
Think of OAuth2 as a permission delegation protocol - user (Resource owner) authenticates and gives a consent to passing an access token (or some other tokens) to the OAuth2 client that initiated the process. When the client receives the access token, it can act on behalf of he user and access resources on a resource server (Google Drive).
So if your backend wants to access Google Drive, the cleanest way would be to make your backend an OAuth2 client, that redirects a user to Google auth server and then receives an auth code. The client must ask for scopes that will allow it to access Google Drive. The auth code can be exchanged for an access token. To access Google Drive, the backend needs to send a valid access token in the Authorization HTTP header of the request.
If you need the tokens on your frontend as well, you can use it as an OAuth2 client and pass them to the backend in an HTTP header.
I have SPA app, backend is ruby on rails and frontend is React. Now I am developing new authentication feature; login with GitHub account with omuniauth gem.
However after authorization with GitHub we need to redirect to backend server as that is the server which is sending authorization request to GitHub authentication server. That means my frontend cannot receive response from GitHub which contains auth information such as user name, token, etc.
I understand we can redirect to frontend URL through backend API, but even in that case I believe auth information from GitHub is not passed to frontend.
Is there any way to share the auth info from GitHub after oauth2 authorization? Any help would be really appreciated. Thank you so much in advance!
For your use case (which is implicit grant flow) I think that's not possible, common pattern to solve this is token handler pattern
Basically, after your backend receive callback from the github & exchange it with access token, you can issue a cookie or token (not oauth token) to the frontend. This cookie is associated with the github's access token.
Later, after you redirected back to the frontend, you need to request the github's user profile proxied via backend
If you want to be able to access github api directly from the frontend, consider using client credential flow (typically used for SPA, without backend)
I've created a FeathersJS backend app and a React frontend app. I'm using OAuth2 strategy to authenticate users to my own WordPress site. Everything is working fine. But now I'd like the users to be able to access my FeathersJS backend REST API, but as they authenticate through the WordPress OAuth2 server, thus following all the OAuth2 authentication process through my React frontend app, which would be the correct FeathersJS way to allow the users authenticate to my backend so that they can do REST API calls?
But now I'd like the users to be able to access my FeathersJS backend REST API
To let people access your backend REST API (which I assume is only possible after they authenticate), you need to check whether the access token they have is, in fact, valid with the third party auth provider.
You can directly let them use the back end API. In case the API doesn't find a valid access token with the incoming request, it will redirect it to the login page. After which, now the backend can validate itself with third-party OAuth provider and return the result.
following all the OAuth2 authentication process through my React frontend app
It is recommended to not do all the OAuth check from front-end since this exposes the access-token on the user agent, which might be a serious issue. See this:
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2#grant-type-implicit
I have a web applications:
app1 with springframework 2.5 It has standard spring-security form login. I didn't find a solution to enable SSO via Keycloak for this app, because keycloak spring-security adaptor doesn't support springframework 2.5.
app2 with springframework 5 using keycloak for Single Sign On with authorization_code grant type.
I am integrating these 2 application together by adding menu items in app1 to navigate to app2 pages using JavaScript. I am looking for a silent authentication option to get tokens from Keycloak after log into app1. Then sent request to app2 with this token. I really appreciate if anybody can give me some idea. Sample code is even better.
Can I use OpenId Connect to implement SSO between two Single Page Applications (SPA)? If yes, what would be the flow.
Scenario: App1 (SPA) starts and uses one of the OIDC flows to obtain Id_token and acccess token. It then makes many REST API calls. At some later time, user clicks on a button that brings up second SPA App2. Both app belongs to same company. Can App2 utilize Id_token and access token obtained by App1 for SSO? Looking at the spec, answer appears to be NO, because these tokens are meant for a specific client. Any other flow that enables SSO between two SPAs using OIDC? or is it outside the scope of OpenId Connect, in which case we have to look at traditional propitiatory solutions like CA, IBM etc. Thanks.
I would use the implicit flow for both apps. It could work like this:
App1 goes to the auth endpoint of the OpenID Connect server. To get the tokens, the user has to get authenticated and the OIDC server may create a session for him (identified by a cookie).
App1 opens a new tab with App2.
App2 doesn't have tokens yet, so it goes to the OIDC auth endpoint. The OIDC server recognizes the session created in step 1 and it may decide decide to release the tokens without authentication and redirect back to App2.
This way, each app would get its own tokens (yes, they are released for a specific client). And the user would not be bothered by authentication for the second app. But the OIDC behavior in step 3 is not standardized and depends on implementation. For example, it may depend on what scopes the apps are requesting - if they are not the same for both apps, the OIDC could require authentication for the second app as well.
If you also need single sign out, there is a specification for that:
http://openid.net/specs/openid-connect-session-1_0.html
You create two iframes in your apps - one for detecting OIDC session changes and one for communication between the first iframe and the app. The specification contains even examples of the iframe documents.