I am building a third party client/app that needs to authorize a user via OAUTH2 before the protected Resource Server can be accessed.
I am hoping someone can help guide me with the process that I need to undertake to make this happen.
The client app and the Resource Server will both be hosted on a cloud server and managed via PaaS. I will be using a SSO (single sign-on) service to help with environment authorization flow and building the client app using NodeJS and a JavaScript framework (VueJS).
I am required to use a third party/enterprise security authorization server from my employer and not a social network (Google, Facebook, etc).
With the above items laid out, is there a recommended JS library to help me achieve a successful OAuth flow? I've never done this before and not sure where to start. I see PassportJS may be what I am looking for, but not sure if there's an easier library to use for a newbie? It must be a free, not a paid service.
Thank you!
Related
I'm trying to get my head around OAuth from the context of having an API that I want to secure and a javascript based single page app made in Vue.js that will consume this API. I've been told that OAuth is the industry standard for this type of thing.
I want to let other clients like a mobile app also use the same API.
From what I can gather the right flow is Authorization Code Flow with Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/
The bit I am confused over is how I seem to need to get users to approve access. For example you don't have Twitter saying "Would you like Twitter to use Twitter". If I was in the position of people using the account to create another account I wouldn't have any confusion but when the client is your own website what is supposed to happen?
I can sort of imagine that I could automatically approve the website or just bypass the part where the user approves but then I feel like I'm going off script. Then I think to myself, have I completely got the wrong end of the stick- is OAuth not designed for this?
If anyone can see where my ignorance is I'd be more than happy to be corrected!
Thanks!
OAuth and OpenID Connect enable you to authenticate users in many ways, for web and mobile clients. Each app implements a code flow and redirects to an authorization server (AS).
Each client is configured with an entry in the AS, and consent can be disabled when required. It is typically only enabled when personal assets are involved. Eg to grant a security code scanning service access to my GitHub repositories.
From asking around a bit and reading a bunch more found searching for "first party" providers: it is okay to just have the main website bypass the bit where they approve access and just send over the token.
Looking for some guidance, links on how i can protect my logic apps using Oauth2 and api management, anyone have some good articles and guides, tried googling around with no real luck 😀
The link given by #derek li is fine to configure the OAuth security on APIM. But after that you need to configure your policy to remove the Authorization header.
Otherwise you will receive an error saying:
The request must be authenticated only by Shared Access scheme.
Check this link for more information: Secure your Logic Apps with Azure AD and API Management
This is possible with API Management. You can configure your Logic Apps to whitelist and be accessible only by API Management's IPs, and configure API Management to your liking (e.g. Oauth).
For more info, refer to Securing Logic Apps
I need to create User Management Service which will be central point to authorize AD users for multiple applications. Applications can be both intranet or Internet, internal or external.
What I figured out it will be something like Identity Server. But due to some requirements we doesn't want Identity server but custom STS (Security Token Service).
- We need to take input from 3rd parties credentials
- validate in our Active Directory
- generate & send SAML token to authenticated users.
I have looked into :
https://katanaproject.codeplex.com
http://www.c-sharpcorner.com/UploadFile/scottlysle/windows-identity-foundation-and-single-sign-on-sso/
http://garymcallisteronline.blogspot.in/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
https://msdn.microsoft.com/en-us/library/ms972971.aspx#singlesignon_topic9
https://coding.abel.nu/2014/08/kentor-authservices-saml2-owin-middleware-released/
But I am still confused how 3rd party will understand that SAML or need what to interpret that shared identity info.
3rd party app can be on any language other than .Net too
they don't need to make change into their code/implementation.
Please suggest.
This is conceptual/architectural question so please don't advise to add code & then to offer help.
I am building an OAuth2 API for my program. But I don't know how the flow works for using the same API on the main website for the app? Would I just use the normal authentication route? I think it would seem odd to see that the trusted name app is wanting access to information, when its not a third party.
I am building a chrome extension which will interact with salesforce-chatter api. But for a user using oAuth(User agent flow) authentication, I need to embed my client key in my extension.
Will this cause any security problem? Or is there a way to use oAuth without embedding client id in my extension?
The client id has to be included into a request, so the provider knows that the request came from you, as #Matt Lacey already pointed out. Normally, the provider also issues a confidential client secret that is additionally included into the access token request, so the provider can verify that your app is allowed to use that client id.
Chrome extensions run on an open platform and the platform itself provides no methods for either authenticating the extension against a server (which salesforce would then also have to support) or storing properties securely (would be hard, if not impossible on an open platform), so keeping the client secret confidential is unfortunately not possible.
As this is a common problem, it is already considered in the OAuth specification (see section 10.1 Client Authentication and 10.2 Client Impersonation). The provider is therefore required to do additional checks, but on the client side you can't do anything to effectively improve security.
If you want some more insight into how this will be handled on Android devices in the future, check out my answer here.
You have to embed the client ID in the extension to let Salesforce know what the app is that's trying to authenticate. These client IDs are intended to always be stored and passed to the server, so as long as you're storing it in a secure manner there shouldn't be a problem.
As Matt explained if you are creating a packaged app you will be forced to include the client id. Another solutions is to write the app as a hosted app:
What is the difference between packaged apps and hosted apps?
The drawback of this is the added complexity of managing a web server. But it will allow greater security.