For the WOPI protocol to be used for integration with mobile and Web Office clients in secure corporate environments it needs to support two-factor authentication.
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
What is the difference between OAuth 2.0 and Auth0? Which one should I use to develop the authentication system?
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
Auth0 is an organisation, who manages Universal Identity Platform for web, mobile and IoT can handle any of them — B2C, B2B, B2E, or a combination.
Source
In case if you cannot understand any of above,
OAuth 2 - is a standard or protocol to implement authorization for any kind of software (windows, mobile or web)
Auth0 - is a software product (cloud and on-prem), that implements the OAuth2 protocol. You can use Auth0 to simplify your
authentication and authorization requirements.
We mainly use auth 2.0 for session based security management at server side. OAuth 2.0 is an authorisation framework that enables a third-party application to obtain limited access to resources the end-user owns. It is about resource access and sharing. While https://auth0.com is a company that sells an identity management platform for authentication related task. So with the help of auth0.com services an app developer don't need to write code for login/registration/social login and its not needed to think about its security. Complete user management task manages by auth0 organisation.
What Identity Provider are you aiming to use?
Auth0, identityserver, ADFS 4.0 etc. all support the OAuth stack.
Using implicit OAuth flow you can connect your Angular application to any of these.
reading this very good blog post (Getting familiar with IBM MobileFirst Platform Foundation OAuth Security) I learned how MobileFirst Platform (7.0 and above) has an integrated OAuth2.0 Authorization Server, which can be used to protect external resource servers.
However what I would like to understand is if it's possible to integrate MobileFirst Platform with another Authorization Server and protect MobileFirst Platform (and external) resource servers. The Authorization Server in this case would be ADFS running on Windows Server 2012R2.
This document from the Product Documentation explains how to use DataPower as OAuth Authorization Server. Can it be used also for other OAuth2.0 Authorization servers ? ( The Authorization Server in this case would be ADFS running on Windows Server 2012R2. )
IBMMobileFirst v8.0 only has support for Datapower as an external authorization server.
If you'd like to use a different AZ server, the only way I can think of is implementing the flow via a MobileFirst SecurityCheck, and have that security check call the other Authorization server.
That way you'd be using both the MFP AuthorizationServer and ADFS (So two Oauth flows, two tokens etc.).
Think of this high-level flow example:
Your resource is protected by some scope, this scope is mapped to a security check in MobileFirst server. When your client attempts to access the resource, your security check is triggered, which will then make a request to the ADFS authorization flow. Your security check would then act as a middle man between the ADFS and the client, and will be successful only when the ADFS has granted a token.
Eventually, when the MFP security-check is successful, an MFP Oauth token will be granted to the client, which will allow him to access the protected resource.
So basically your security check will act as your client against the ADFS Authorization server
A more simple way, would be to make that resource unprotected, and implement your own custom Oauth flow against ADFS - but thats not the original question.
But the plus side of the first option, is that you can always make that same scope (which is protecting your resource) be mapped to something else uninterruptedly (via the console) , like to a different security check which does something else.
For IBM Mobilefirst 7.1 (or 7.0), the flow is pretty much the same, only the terminology is different, in 7.x there are no Security checks, but you can use a Custom authenticator to get the same functionality.
Personal note - If you're not bound to using 7.x, I'd recommend doing it in 8.0
is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications?
REVISED:
I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On
If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment.
However, SAML can be used for desktop applications. I've run into applications before that would retrieve the Kerberos ticket from the Desktop, make a WSTrust/RST call to an STS to validate the Kerb token and get back a SAML token in the RSTR that would be embedded into a Web Services call that the desktop application needed to make.
SAML allows secure web domains to exchange user authentication and authorization data and by definition would require an internet connection to do so. So no you would not want to use it for a desktop application.
Revised
here are the links for active directory implementation with Delphi.
http://www.agnisoft.com/white_papers/active_directory.asp
http://adsi.mvps.org/adsi/Delphi/index.html