Many of OAuth providers host "userInfo" pages which are used by clients to fetch display names and identifiers etc. This endpoint is hit after code generation and exchange for a token. Spring boot requires this endpoint when configuring an OAuth client. For example
Google: https://www.googleapis.com/oauth2/v1/userinfo
Facebook: https://graph.facebook.com/me
I want to implement this for our own OAuth provider. Implementing it is not a problem, but I need to define what I'm implementing. I've looked all over and read a ton of specs but cannot find where this behaviour is described.
Does anyone know what specification this is part of?
Google conforms to OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo Facebook doesn't conform to any open specification, they're doing their own thing; it just happens to look similar.
Related
What does it mean 'OAuth is a protocol'?
Is this some kind of abstract specification but not a concrete implementation?
So if I would like to use OAuth do I need an Identity and access management system like Oak, Keyloak or Ping Federate that supports OAuth?
What does it mean 'OAuth is a protocol'?
Ok i ask you what is a "protocol"? or actually what is a "communication Protocol", let's check wikipedia.
A communication protocol is a system of rules that allow two or more entities of a communications system to transmit information via any kind of variation of a physical quantity.
In layman's terms protocol simply sets up some guidelines as to how requests should look. The protocol for stack overflow is that everything is written in english, everyone understands that and most people use english. Anyone using another language will be asked to translate it or it will be closed because it is against the protocol on stackoverflow.
Okay now "What is Oauth" again lets check Wikipedia.
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.1
Prior to Oauth if you wanted to access private user data on an API you had to use something called client credentials. which basically meant an application would the users send login and password along with the request.
Besides being a security nightmare (pre https) the issue with this is that if the user changes their password the call would then break the call unless the user remembered to submit a new password to the system using the api.
So oauth was born. Its bacily a set of calls three or four typically. (Oauth2)
App builds link to the Auth server show to user which requests permission of the user. Auth server returns permission to the application
Application takes that permission sends it to auth server see i have permission now give me access.
Server returns access
This is the Oauth protocol a list of requests agreed upon in rfc Oauth2 that map out how user authorization can be granted between an application, an authorization server and a user.
So back to your question "What does it mean 'OAuth is a protocol'?" This is the agreed upon Oauth protocol. Its a set of steps used by applications and authorization servers to grant access to users data.
Is this some kind of abstract specification but not a concrete implementation?
I think you should have a look at rfc Oauth2
So if I would like to use OAuth do I need an Identity and access management system like Oak, Keyloak or Ping Federate that supports OAuth?
I think you should check those systems on your own.
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
By reading Cognito Identity Provider document, I understand that it looks like it provides out-of-box integration with Facebook / Google / Twitter as Identity Providers.
My application is a developer focused application so I would like enable users sign-up/sign-in with their Github account besides the above Identity Provider's accounts. Is that possible?
If possible, how much extra work (comparing the out-of-box Facebook/Google social sign-up feature) I need to do?
Since first writing this answer, I implemented and published a project that provides a wrapper for Cognito to talk to GitHub. It comes with a SAM/cloudformation deploy script, so you can create a CloudFormation stack that provides the wrapper very easily.
So, OpenID Connect is built on top of OAuth2.0. It's an extension - in OpenID Connect, the OAuth endpoints are there (with one or two extensions or changes), plus some new endpoints.
My understanding from reading the Cognito documentation and the relevant bits of the OpenID Connect and OAuth2.0 specs is that Cognito only uses four of the OpenID endpoints - Authorization, token, userinfo and jwks. You can specify each endpoint separately when configuring an OpenID Connect provider in Cognito. This means it is possible to provide OpenID Connect for github by implementing these endpoints.
Here's a rough plan for implementation:
Authorization: In the spec, this looks to be the same as the OAuth2.0 endpoint (plus some additional parameters that I don't think are relevant to using github as an identity provider). I think you could:
Use the github Auth URL: https://github.com/login/oauth/authorize
Set your GitHub OAuth app to redirect to https://<your_cognito_domain>/oauth2/idpresponse
For the other endpoints, you'll have to roll them yourselves:
Token: This is used to get the access and ID tokens - using a code returned by the authorization callback. It looks the same as the OAuth2.0 endpoint, but also returns an idToken. It looks possible to make an implementation that passes through the code to github's token endpoint (https://github.com/login/oauth/access_token) to get the accessToken, and then generates an idToken, signed with your own private key.
UserInfo: This doesn't exist at all in OAuth2.0, but I think that much of the contents could be filled in with requests to the /user github endpoints (since at this point the request contains the authenticated access_token). Incidentally, this is the reason that there's no open source shim to wrap OAuth2.0 with OpenID connect - OpenID connect's primary contribution is a standardised way of communicating user data - and since OAuth doesn't have a standardised way to do this, we have to write a custom one specific to GitHub (or any other OAuth-only provider we wanted to use for federation).
JWKS: This is the JSON Web Key Set document containing the public key(s) that can be used to verify the tokens generated by the token endpoint. It could be a flat file.
I have implemented the above, and the approach works. I open-sourced the project here.
Unfortunately it's not possible. Cognito Federated Identities can support any OIDC Identity Provider but OAuth2.0 spec does not give that flexibility, so there's no easy way to achieve this unless we add special support for Github.
Please tell me the difference between these third party authentications i.e open id, o-auth1.0, o-auth1.0a ,o-auth2.0 and open id connect.
Well i googled on this but not able to find the exact difference between all these. All the time I got difference between o-auth and open id but not about all these together.
Any reference or any explanation would be appreciated. Thanks in advance.
First of all, note the difference between authentication and authorization: not all the protocols in your question actually do authentication.
During authentication you prove your identity to someone else (e.g. show driving license), see OpenId.
During authorization you give access rights to someone else to use a protected resource (e.g. give car keys), probably without exposing your identity, see OAuth. OAuth 1.0 works, but a common complaint is that both server and client has to do a lot of cryptography, so it's not lightweight on the client side and does not support embedded clients (e.g. javascript). OAuth 1.0a addressed a security issue, but it's obsolete, the fix was included into the original spec (RFC 5849). OAuth 2.0 supports both remote web application and embedded/javascript clients and allows implementing a client application much easier.
OpenId Connect unites OpenId and OAuth (thus providing both authentication and authorization) as a small extension to the OAuth 2.0 protocol.
Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.