I'm working at a company where we have a standard JWT token given to an end user. This user will get their JWT access token by going through the authorisation code oauth flow. By passing their access token into the Authorization header they can make calls into the microservice api's.
We now have a scenario where we need someone from the customer service centre assume the identity of an end user for the purpose of giving the service centre representative access to the users data for short period of time.
To solve this we have discussed having two access tokens flowing into the Authorization header in the microservice api's. The first would represent the customer service centre representative and the second would be the users access token but i am confused on how to best architect this solution.
Can anyone recommend a good solution staying as close to open id connect standards as possible. Microsoft seem to have an oauth flow named on behalf of which kind of matches what i want but seems more like it caters for a system on behalf of a user where I want a user on behalf of another user.
thanks
LONGER TERM
User Managed Access may provide solutions in this area:
End User sets a policy at the Authorization Server for their personal resources
A Company Administrator applies a policy at the Authorization Server for corporate resources (for multiple users)
A Requesting Party (app) presents claims as proof that they meet the policy
REAL WORLD
Almost no Authorization Servers support this capability, and even those that do may not do what you want. It is more than an OAuth pattern though, since a solution also ties into back end behaviour.
WHAT I WOULD DO
Build a solution around claims:
Service centre user logs in, to establish their own identity
After login, lookup claims, to see if the user has 'super' rights
If so, your UI presents an option to act on behalf of another user
Service center user types in email of who they are acting as
Update claims with the second identity
Authorization needs to take both identities into account
Auditing needs to log both identities
The above list hints at requirements, and of course not all of these can be solved with OAuth, but claims should give you the flexibility you need.
See my claims write up for how you could apply this pattern to collect claims from multiple places - not just access tokens. In your case, the ApiClaims object could include your database user ids for both users.
I would like to provide some standarized SSO mechanism in my application (some different clients, growing number of services in the backend). I am wondering if OIDC/OAuth 2 is the right tool for it.
In all examples I have seen, end user is the Resource Owner and it grants permissions (or not) to some external apps by redidericting to a page asking for permissions.
My use case is different, I want to use OAuth inside my system (for apis, web pages etc.): resource owner is i.e. some service with database (plus administrator who have access to it), end user tries to get some resources from the system. User cannot grant anything, he can be granted. I think it's the most classic scenario, which can be named Single-Sign-On. Is there any standard flow for this in OAuth 2 (or preferably OpenId Connect)? Is it achievable? Or am I looking at a wrong tool?
OIDC/OAuth can be used for both consumer as well as enterprise scenario's. The consent steps of OAuth are useful in consumer oriented scenario's. When dealing with enterprise scenario's like yours, there's no point in asking consent since it is implicit, at least for the enterprise's apps. That is certainly covered by OAuth/OIDC: the Authorization Server is not required to ask for consent and can (typically) be configured to skip that step for particular Clients. So: using OpenID Connect without consent would be suitable.
For your usecase you can use combination of OpenID Connect and OAuth Client_Creds flow. For example suppose you have a HRMS application which needs to get the employee data to show to the employee from some DB.
Register HRMS with OPenID Provider
Register HRMS as Client to OAuth Server (OpenID Server and OAuth Server can be same)
When User comes to HRMS application:
a. Check for Id_token cookie, if not present then redirect to IDP
b. IDP authenticates and if successful redirects back to SP with ID token
c. If token is valid then SP sets the token as cookie in the browser using another redirect to itself but to the home page
Now All processing will be server side:
a. HRMS app hits the IDP to get the User Data
b. If successful then it hits the OAuth Server to get the access_token
c. if successful then it uses the access_token to talk to DB Service and
get the data
SP=Service Provider, IDP = Identity Provider
Actual flow can be a little different based on security considerations.
Hope this makes it helps.
We are setting up a OAuth 2.0 via PingFederate in our organization. The scenario in question is as follows - We have a website in which the customer would be logging in using user name and password. There are are also links within the site to redirect the customer to a partner site. The partner site would be securely passed some basic information via SSO payload.
The partner site would also need to be able to call back to our Apis (call made in the background) to get additional information about our customer which they will then use to display on their site.
Our Api’s are currently setup to be accessed via access token which the consumers of the Api get by following the Authorization Grant flow.
In the partner redirect scenario we want partner site not go through the Authorization code flow when it makes the Api call because the customer would have already logged into our site to start with using their credentials but instead when we redirect to the partner site provide it securely (SSO payload) the access and refresh token which it can then use to make the Api calls ?.
Is there a grant type that I can invoke telling my authorization provider (PingFederate) that I trust the customer based on the information that he has already provided now give me access token and refresh token and then redirect using that information (None of the grant types that I am aware is able to support it - does Ping OAuth setup support a flow wherein I can say I trust this customer give me access and refresh token )?
It sounds like you'd be combining SAML and OAuth to meet your business need. While it's not defined as a standard grant type, one potential solution is to include an Access Token in the SAML Assertion attribute payload so the partner application can then make calls without going through additional redirects. PingFederate does offer the ability to do this by using OGNL to create an access token in the attribute contract fulfillment. An example of how to do this is in our SDK documentation: https://www.pingidentity.com/content/dam/developer/documentation/pingfederate/server-sdk/9.3/index.html?com/pingidentity/sdk/oauth20/AccessTokenIssuer.html
If you need more guidance on selecting the right OAuth grant type, we have information on our developer portal that covers this. Please refer to: https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html#get_token
I'm trying to authenticate my user on my site using StackExchange OAuth API.
Everything works fine when the user signs up for the first time. At this point, I get the "access token", which I save in my DB.
But the next time the user signs in, access token value is actually different to the previous one. Is it supposed to be like this?
If then, how do I check for existing users who already have signed up using StackExchange?
I can get the user's information by giving a specific site name (e.g. 'stackoverflow'). But what if I don't have that information and I need to check that the user has already signed in via StackExchange?
Is there a "user" information that I can get given an accessToken?
The StackExchange OAuth implementation is not meant to authenticate users to 3rd party applications but instead it is about authorizing those 3rd party applications to get access to the StackExchange API.
The access token that you get is not a token that represents a currently logged-in user, it represents the permission to access the API on behalf of the user gave it to your application. This is the classical confusion about the scope of OAuth 2.0 which is discussed in detail here: http://oauth.net/articles/authentication/.
In summary: you can't use OAuth or the StackExchange access token to authenticate users.
StackExchange does support the OpenID protocol to facilitate the purpose that you are looking for, see https://openid.stackexchange.com/. The downside of that is that OpenID is a deprecated protocol, superseded by OpenID Connect. OpenID Connect is an authentication protocol that is actually built on top of OAuth 2.0, but is not yet supported by StackExchange.
What exactly is OAuth (Open Authorization)?
I have gleaned some information from
OAuth
Twitter Tutorial: What is OAuth And What It Means To You
What is OAuth
But I want to learn and know more. I'm looking for info on the lifecycle. Why do most of the social networks rely on this open protocol?
Will it become a de facto in near future with the various technologies (e.g. ASP.NET)?
What exactly is OAuth (Open Authorization)?
OAuth allows notifying a resource provider (e.g. Facebook) that the resource owner (e.g. you) grants permission to a third-party (e.g. a Facebook Application) access to their information (e.g. the list of your friends).
If you read it stated plainly, I would understand your confusion. So let's go with a concrete example: joining yet another social network!
Say you have an existing Gmail account. You decide to join LinkedIn. Adding all of your many, many friends manually is tiresome and error-prone. You might get fed up halfway or insert typos in their e-mail address for the invitation. So you might be tempted not to create an account after all.
Facing this situation, LinkedIn™ has the good idea to write a program that adds your list of friends automatically because computers are far more efficient and effective at tiresome and error-prone tasks. Since joining the network is now so easy, there is no way you would refuse such an offer, now would you?
Without an API for exchanging this list of contacts, you would have to give LinkedIn the username and password to your Gmail account, thereby giving them too much power.
This is where OAuth comes in. If your GMail supports the OAuth protocol, then LinkedIn can ask you to authorize them to access your Gmail list of contacts.
OAuth allows for:
Different access levels: read-only VS read-write. This allows you to grant access to your user list or bi-directional access to automatically synchronize your new LinkedIn friends to your Gmail contacts.
Access granularity: you can decide to grant access to only your contact information (username, e-mail, date of birth, etc.) or to your entire list of friends, calendar and whatnot.
It allows you to manage access from the resource provider's application. If the third-party application does not provide a mechanism for canceling access, you would be stuck with them having access to your information. With OAuth, there is a provision for revoking access at any time.
Will it become a de facto (standard?) in near future?
Well, although OAuth is a significant step forward, it doesn't solve problems if people don't use it correctly. For instance, if a resource provider gives only a single read-write access level to all your resources at once and doesn't provide a mechanism for managing access, then there is no point to it. In other words, OAuth is a framework to provide authorization functionality and not just authentication.
In practice, it fits the social network model very well. It is especially popular for those social networks that want to allow third-party "plugins". This is an area where access to the resources is inherently necessary and is also inherently unreliable (i.e. you have little or no quality control over those applications).
I haven't seen so many other uses out in the wild. I mean, I don't know of an online financial advisory firm that will access your bank records automatically, although it could technically be used that way.
What is OAuth?
OAuth is simply a secure authorization protocol that deals with the authorization of third-party applications to access the user data without exposing their password. (e.g. login with Facebook, gPlus, Twitter in many websites) all work under this protocol.
Parties involved
The Protocol becomes easier when you know the involved parties. Basically, there are three parties involved: OAuth Provider, OAuth Client, and Owner.
OAuth Client (Application Which wants to access your credential)
OAuth Provider (eg. Facebook, Twitter, etc.)
Owner (the person with Facebook, Twitter, etc. account )
How It Works
I have supposed a scenario where a website (Stack Overflow) needs to add a login with the Facebook feature. Thus Facebook is OAuth Provider and the Stack Overflow is OAuth Client.
This step is done by the app's developer. At the very beginning, Facebook (OAuth Provider) has no idea about the Stack Overflow (OAuth Client) because there is no link between them. So the very first step is to register Stack Overflow with Facebook developers site. This is done manually where developers need to give the app's information to Facebook like the app's name, website, logo, redirectUrl (important one). Then Stack Overflow is successfully registered, has got client Id, client secret, etc from Facebook, and is up and running with OAuth.
Now when Stack Overflow's user clicks login with Facebook button. Stack Overflow requests Facebook with ClientId (Facebook uses it to recognize the client) and redirectUrl (Facebook will return back to this URL after success). Thus the user gets redirected to the Facebook login page. This is the best part user(owner) is not giving their Facebook credential to Stack Overflow.
After Owner allows Stack Overflow to access the information. Then Facebook redirects back to Stack Overflow, along with authcode using the redirectUrl provided at step 2.
Then Stack Overflow contacts Facebook along with the obtained authcode to make sure everything is okay.
Only then Facebook will give access token to Stack Overflow. Then access token is used by Stack Overflow to retrieve the owner's information without using a password. This is the whole motive of OAuth, where actual credentials are never exposed to third-party applications.
For More:
Quick video
Web Link
Simply put OAuth is a way for applications to gain credentials to your information without directly getting your user login information to some website. For example if you write an application on your own website and want it to use data from a user's facebook account, you can use OAuth to get a token via a callback url and then use that token to make calls to the facebook API to get their use data until the token expires. Websites rely on it because it allows programmers to access their data without the user having to directly disclose their information and spread their credentials around online but still provide a level of protection to the data. Will it become the de facto method of authorization? Perhaps, it's been gaining a lot of support recently from Twitter, Facebook, and the likes where other programmers want to build applications around user data.
OAuth(Open Authorization) is an open standard for access granting/deligation protocol. It used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. It does not deal with authentication.
Or
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
Analogy 1: Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything. src from auth0
Analogy 2: Assume, we want to fill an application form for a bank account. Here Oauth works as, instead of filling the form by applicant, bank can fill the form using Adhaar or passport.
Here the following three entities are involved:
Applicant i.e. Owner
Bank Account is OAuth Client, they need information
Adhaar/Passport ID is OAuth Provider
Oauth is definitely gaining momentum and becoming popular among enterprise APIs as well.
In the app and data driven world, Enterprises are exposing APIs more and more to the outer world in line with Google, Facebook, twitter.
With this development a 3 way triangle of authentication gets formed
1) API provider- Any enterprise which exposes their assets by API, say Amazon,Target etc
2) Developer - The one who build mobile/other apps over this APIs
3) The end user- The end user of the service provided by the - say registered/guest users of Amazon
Now this develops a situation related to security - (I am listing few of these complexities)
1) You as an end user wants to allow the developer to access APIs on behalf of you.
2) The API provider has to authenticate the developer and the end user
3) The end user should be able to grant and revoke the permissions for the consent they have given
4) The developer can have varying level of trust with the API provider, in which the level of permissions given to her is different
The Oauth is an authorization framework which tries to solve the above mentioned problem in a standard way. With the prominence of APIs and Apps this problem will become more and more relevant and any standard which tries to solve it - be it ouath or any other - will be something to care about as an API provider/developer and even end user!
OAuth is all about delegating Authorization (choosing someone who can do Authorization for you). Note that Authentication and Authorization are different things. OAuth is Authorization (Access control), and if you want to implement Authentication (ID verification) also, OpenID protocol can be used on top of OAuth.
All big companies like Facebook, Google, Github,... use this kind of authentication/authorization nowadays. For example, I just signed in on this website using my Google account, this means Stackoverflow doesn't know my password, it receives the allowance from Google where my password (hashed obviously) is saved. This gives a lot of benefits, one of them is; In the near future you won't have to make several accounts on every website. One website (which you trust most) can be used to login to all other websites. So you'll only have to remember one password.
OAuth happened when we sign up SO account with Facebook/ Google
button.
Application (SO) redirecting user to the provider's authorization URL. ( Displaying a web page asking the user if he or she wishes to grant the application access to read and update their data).
User agree to grant the application process.
Service provider redirects user back to application (SO), passing authorization code as parameter.
SO exchanges the code for an access grant.
Source : OAuth1 service providers
OAuth is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook or Twitter accounts without exposing their password.
Authorization: OAuth as it name suggests is simply a standard for Authorization.
Used for log into third party websites: With OAuth, you can log into third party websites with your Google, Facebook, Twitter or Microsoft accounts without having the necessity to provide your passwords.
Remembering passwords: Using OAuth you can avoid creating accounts and remembering passwords on each and every web application that you use on the Internet.
Access token: OAuth is based on an access token concept. When a person authenticate hinself using his Google account, to a third party web application. Google authorization server issues an access token for that web application the person is using. Thus, the web application can use that access token to access his data hosted in the resource server. In the case of Google, your Gmail inbox, contacts, photos etc. are the resources. So, any third party application can access those resources, for an example view his Gmail inbox using OAuth. Hence, OAuth is a simple way to publish and interact with protected resource data. It’s also a safer and more secure way for people to give you access to their resource data.
OAuth2 and HTTPS: OAuth2 uses HTTPS for communication between the client and the authorization server because of confidential data for example client credentials. passing between the two applications.
OAuth is a protocol that is used from Resource Owner(facebook, google, tweeter, microsoft live and so on) to provide a needed information, or to provide a permission for write success to third party system(your site for example). Most likely without OAuth protocol the credentials should be available for the third part systems which will be inappropriate way of communication between those systems.