I am making an Application that uses XMPP as its communication protocol, but for better user experience for my application I want the end user to be able to register and login via facebook/google or any OAuth2 provider (eg. github).
Does the XMPP protocol itself support user authentication via OAuth like POP3 or IMAP does. I mean what's the appropriate message format for OAuth2 authentication?
The XMPP protocol itself supports SASL authentication, also later Specs of SASL support OAuth2 and OAuth1.a as seen in rfc7228.
Also XMPP supports other bindings except TCP such as Websocket one (RFC7395) or the slower BOSH. In this case you can use the "traditional" apis for OAuth2, in other words do OAuth2 as would be done on a classic Web-based application ans use the XMPP as message/data transfer.
So the answer to your questions is YES it supports OAuth2 as spec says so.
Related
I am trying to implement sns login with Spring Security. The api server is spring-boot and the front is android and iOS.
From my understanding, it seems that spring-security-oauth-client supports the process of issuing an access token with server side rendering. (authentication code grant or implicit grant ..etc)
This is where my troubles begin.
First of all, I want to use OpenId Connect because I know that authentication should not be processed with oauth's access token.
Because android needs to use the sdk, the front (android) issues the idToken and gives it to the backend server.
So I wanted to implement it using the oauth2 function supported by spring-security, but I couldn't find a good way. So the following question arose:
Can it be implemented with the oauth-support function of spring-security?
So, I am trying to process authentication by creating an Authentication Provider for each oauth provider through a custom filter that directly extends OncePerRequestFilter.
Another question arises here.
Is there any difference between implementing the filter directly in spring-security and performing authentication in the controller of the spring container? performance or other aspects
thank you.
I am aware Ejabberd can act as an Oath2 server and provide the token that other applications can use as a SSO mechanism. My question is can Ejabberd participate in a SSO implementation where the Oauth2 token is supplied by another Oauth server such as KeyCloak? If so is there an example or documentation on how to do so?
ejabberd is a great messaging framework but it is a weak Oauth2 server compared to implementations such as Keycloak and does not meet our requirements in this fashion. I believe there has got to be a way to get ejabberd to participate in SSO in 2020 and I am missing something.
Tim McClure
I have an existing CAS4 instance that is in use for SSO across several web applications using the CAS protocol. CAS4 and later CAS versions, including CAS5, support other SSO protocols as well. CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAML or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
I would really hope that the "Single Sign On" pseudo session spans different protocols. My worry is that it does not.
CAS4 has support for SAML, OAuth2 and OpenID 2.0. CAS5 has support for OpenID Connect, etc.
Let's be slightly more accurate that CAS4 has basic support for SAML1.1 and OAuth2 and its SAML2 support is limited only to handling an integration with Google Apps. Some have managed to extend it beyond that capability and turn it into a more general-purpose SAML2 integration strategy
CAS5 on the other hand as you note has support for SAML2 and OpenID Connect and a more improved version of OAuth2. The CAS protocol and related REST API implementations also gain quite a number of improvements in the way of working with JWTs as service tickets, etc.
I am wondering if one application authenticates with CAS via the CAS Protocol and a second subsequent application requests access via SAMPL or OAuth2 if the second application will be prompted to login, i.e. defeating the "Single Sign On" feature/capability?
No. That is the purpose of Single Sign-On. Regardless of what protocol you use, SSO/Authentication will continue to work fine because these are different subsystems. The thing that speaks a protocol language and the thing that validates credentials and the thing that creates and manages an SSO session all are very much independent of each other. If you find the opposite to be true in practice, that is a defect that needs a diagnosis.
I recommend you take a look at this blog post:
https://apereo.github.io/2018/02/26/cas-delegation-protocols/
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?
I am developing web application which consists of a Silverlight application and a REST API. An optional use case is that the customer may also want to integrate with Salesforce. By "integrate" I mean utilize SSO with Salesforce when logging into my application as well as access data via Salesforce's REST API. The current hurdle I can't seem to get over is that SSO uses WS-Federation while Salesforce's REST API uses OAuth 2.0. What is the best way to being these two authentication mechanisms together?
My knee-jerk reaction was for my Federation Provider STS to acquire an OAuth access token from Salesforce and add it as a claim to the security token received from Salesforce's Identity Provider STS, but I think this might require me to write a custom STS. I'd rather not do that. Is there a better way?
This question is old but comes up often, so ...
There is now information on how to do this here
Configuring-SSO-to-SharePoint
This approach uses WS-Fed.