I am completely new to IdentityServer4 and I cannot figure out how does it create an access token from userid (username?) and secret (password?). Here are some sub questions which makes me confused:
a) Is there a seperate database running for IdentityServer, or I should use whatever DB is used for registration (in case of a single API (other) handling registration)?
b) If there is a seperate database, how does it sync with DB for identity server?
c) Does a registration API need to have some changes too, to work with
IdentityServer? Or is it possible to just register it as a service?
IdentityServer4 has IResourceOwnerPasswordValidator to validate the resource owner password credential. You can implement this interface and it enables you to use any user store.
IdentityServer4.AspNetIdentity has an implementation.
Another example is here.
Related
I have a RESTful API that is consumed by a browser frontend and multiple machine-to-machine clients. So I'm issuing tokens with Keycloak 18 through Standard Flow (Authorization code) and Service Account Flow (Client credentials).
The operations on the API's resources are protected by scopes like read:resourceA, update:resourceA, read:resourceB, etc.
When I assign a Realm Role to a Client Scope, and if I map a user to the same Realm Role, the tokens issued through the Authorization Code Flow (browser frontend) contain the scope.
Also, when I create a Machine-to-Machine client and I add to Client Scope directly to the Client, the tokens for the M2M client also contain the scope.
So far so good. But as soon as I try to do both at the same time, I no longer have the scope in tokens issued by the M2M-client.
It seems that adding a Client Scope to a Role makes it impossible to use that scope otherwise.
The obvious, but bad solution would be to create a second set of scopes for this kind of client. Is there any other solution I'm not aware of?
I'm migrating from Auth0.com to Keycloak, and that's currently the only point blocking me from finishing this migration.
Thanks,
Pascal
In a standards based approach, scopes are composed of claims. Scopes are fixed at design time, whereas claims have runtime values. So at runtime a particular client and user may result in these values:
- myscope
- roles: [user, admin]
- subscription-level: gold
An example is the built-in profile scope, which includes name and email claims, and might look like this at runtime:
- profile
- name: John Doe
- email: john#doe.io
It is recommended to avoid scope explosion, as you suggest. In Keycloak I would keep scopes the same for all clients, so that nothing changes in the client interface.
A realm role is a type of claim, though a Keycloak specific concept I think. Perhaps you can represent it differently, or configure a realm role for the M2M client also?
It turns out that I missed the concept of Service Account Roles. For all those running into the same troubles:
How to add a new Role to an Authorization code flow client
Create client with Default Flow enabled
Create client role
In Client Scope Settings, add the new client role to the scope
In Client Settings, add the scope(s) to the list of default scopes
Add the new client role to the user
How to add a new M2M client
Create the new client
Create a new client role in the Client settings
In the Client settings, in the tab Service Account Roles, assign the new Client Role
In the Client scope settings, assign the new client role
In Client Settings, add the scope(s) to the list of default scopes
Our business use case is that we have four to five services deployed as java spring web applications. These services have user/customers derived from either registration process or some existing running applications exposed as rest services. We intend to make a single portal which provides users to be able to use a single account / credential to log into many services directly.
With internal approach we assume having individual customer table for each services. And a common Login table for all services whose id is tagged/mapped as foreign key in individual customer table of each services.
Also some services can be accessed without registration , in that case we fetch the data via customers account id from some third rest service and store it in individual services/application customer table and in common Login Table if not already present.
For services which require registration we store the customer credentials in login table if not present; and also in service/applications customer table with a common login table mapping.
But we need a secure portal with session tracking , session timeout just like Single Sign On
With some research we have narrowed the approach to implement the above scenario with either SSO or Oauth2 which her is applicable.
Refer the link (https://stormpath.com/blog/oauth-is-not-sso ) for more insight.
Can someone suggest which approach SSO or Oauth2 is applicable for our business usecase ?
if SSO , which is the best opensource simple SSO for java Spring applications?
if OAuth2 , what will act as Client application, Authorization Server , Resource Owner and Resource Server? As we have services(Java applications) as client application hosted in Common Application/Portal? will the common login table act as resource owner ?
You will likely want SpingSAML. If the applications are hosted on separate paths, like example.org/app1 and example.org/app2 then you could use a Shibboleth Service Provider as the SAML SP for the applications.
You'll still need an Identity Provider of some sort, which SpingSAML can't do, but there are innumerable IdP implementations out there: i.e. Shibboleth Identity Provider, ADFS, or a commercial IdP like Okta, OneLogin, Ping, etc.
I'm new to OAuth2 and trying to figure out what is the best practice for the following scenario:
I'm implementing 'ToDo' web service (CRUD for 'tasks')
I'm using OAuth2 and Google as auth provider to get user details (email, name)
Now I need to implement project-specific roles for users ('admin', 'user')
Speaking in terms of OAuth2 - Google doesn't 'own' my service, so it cannot help me with storing/providing 'ToDo'-specific roles, is it correct?
What is the common/best approach to implement it, do I need to create my own authorization service where I'll need to store relations like userinfo -> project-specific role?
Well, it depends what, exactly, you're looking to do.
If you have users, and those users have specific roles that you have assigned to them already, then you're just using Google's OAuth service as an identity service. You don't need to implement your own authorization service, but you will need to keep track (typically in your own database) a relationship between the userid and the roles for that users.
If the goal is to create a service where the user can delegate specific permissions they have to a third-party service, then you will certainly need to implement your own OAuth server. This will allow the user to limit the scopes that are necessary for the third-party service to do its job.
It is easy for you to setup your own authorization and resource server rather than depending on google services. In your own authentication server you have more control over your roles and users you specify.
You can setup and authentications server using spring boot app and using dependencies like Spring-starter-security, spring-security-oauth2 and etc.
Yes, you'll have to use your own Authorization Server that can then issue tokens that have realm-specific roles associated with them.
I have a scenario where my Resource Server (RS) can connect to multiple databases and it can be multi-tenant. It has an environment configuration where I can say: Env A points to database A and belongs to tenant A; Env B points to database B and belongs to tenant B;
Our desktop apps store that information in a data structure that is sent to RS on every call and our web apps store it inside ASP.NET Session. The user select the environment at login.
Now we are moving our APIs completely to REST services and protecting them with oAuth2 using IdentityServer4.
I need to send that environment value to the APIs and I think that should be part of the access token.
The first question is: Is that correct? Can a access token have that kind of information?
The second is: Which is the best IdentityServer4 service that I should extend to inject that value as a claim inside access token and consequently inside ClaimsPrincipal.
The third is: Sometimes I don't have a user to select the environment at login (client credentials grant, for example). In this case, is the correct treat environment as a client claim? There is a way to have dynamic client claims?
Sorry about the long question!
Regards,
Diogo
If that claim is about the users (or clients) identity - yes - it is a candidate for the token.
Add the claim to the resource scopes that represent your API - this way the claim type will be requested in the profile service and you can add it to the token.
Client claims are not dynamic though.
What I purposed to do is, I want to do is I want to create a Claim based Authentication.
But I use a public Auth provider such as LIVE connect API.
So it only return OAuth based data to me.
Considered I'm the server side, I just want to
1 get the data with OAuth.
2 convert it to claim.
3 set current principal to the claim I created.
Do I need to create a STS?
And can I use these this claim achieve SSO?
And have a look here where he actually implements it.
Or here which shows how to do it with Azure ACS.
You create Security Token Service (STS) when you want to decouple your authentication logic from your business logic in a way that it works as two separate services / applications, where one is issuing Security Tokens, and the other one (or more of them) are consuming them.
To me it seems that you should implement your own ClaimsAuthenticationManager that will convert all the data received by OAuth (which is doing authentication for you) to claims, generate ClaimsPrincipal with it and add your own business logic claims to it as well => set generated principal to be your current principal.
Depending on what libraries are you using for OAuth, some of them will create initial claims principal for you, which you can then take in ClaimsAuthenticationManager, and convert it to your own claims principal.
For more reference on it, check www.leastprivillege.com, Dominick has nice series of articles about OAuth and claims based authentication.