We are using version 2.0 of tyk.io, and we wanted to know if there is a way to customize the tyk.io dashboard ui to use a custom authentication method such as Oauth2?
To clarify - Do you mean using OAuth for controlling access to the tyk dashboard itself?
If so, take a look at Tyk Identity Broker - that should do the trick. https://tyk.io/tyk-documentation/concepts/tyk-components-2/identity-broker/
Related
We have a legacy Identity Provider which only supports two authentication mechanisms:
Oauth 1.0.
A custom service I can call with a user and password and
obtain a session token which then has to be placed in a custom
header of every other call to the IdP —to get user info and such.
I’d like to know whether there’s any plugin that will allow configuring Jenkins to delegate authentication to such an IdP through either mechanism. I'm starting to look at the Oauth Credentials Plugin, but it doesn't look like it'll do the trick.
By itself, this library has no user visible changes, it is intended only to surface new extension points on top of which OAuth providers may surface their own OAuth2Credentials implementations.
If not, then what are my options here? I’m thinking of writing a plugin to implement one of these. Is there a good guide I can use? Or an existing plugin I should extend?
As it turns out —and just in case anyone else is wondering how to do this— the Oauth Credentials Plugin is not for delegating Jenkins authentication to an Oauth Identity Provider. It's for creating Jenkins credentials which can then be used by jobs.
At this point in time, there's no plugin which will allow you to delegate Jenkins authentication to an identity providier exposing the deprecated Oauth 1.0 spec. You'll have to implement your own. The right way to do this is to extend this class:
hudson.security.SecurityRealm
I started doing this by following the examples set by Github's and Google's Oauth 2.0 plugins. But these both take very different approaches to the same problem — which filled my head with questions. So I did some more research and found this nice article which explains the basics and also points to a bare bones security realm example of how to do this. It helped me a lot. I hope it'll help others as well.
I'am looking at the capabilities of WIF in terms of SSO. Actually we have a "legacy" users & rights management database under SQLServer and we like to build a brand new SSO system on top of this exsting database.
In many tutorials I found they talk about using existing STS like ADFSv2 for Active Directory authorization, but It did not fit my needs because my users/rights are not exposed through AD but in a custom a specific business oriented SQL Server database.
So, I thing I need a custom Security Token Service in order to be able to emit my own custom tokens, but I don't know how to do this.
I need some little help or an example about how to achieve this.
Thank you
You can find STS example in WIF SDK. It contain an example with custom token. Look here
More detail information about SSO I seen in a book 'Programming Windows Identity Foundation'
You can build your own Custom Security Token Service leveraging the underneath SQL Server database. You will have to define your scopes and Claims that needs to be shared after user does a Single Sign On. Here are some links to some articles below that has helped me build mine. I am pretty sure by following the below links you will be able to build a custom STS catering to your needs.
WIF : http://chris.59north.com/post/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Care to explain why #paullem's answer was deleted?
It is in fact the correct answer!
The question is about an STS that authenticates using a SQL DB. That is EXACTLY what IdentityServer does.
Since it's open source, you can customize it any way you want or else use it as a guide.
So to repeat the answer - "Take a look at Thinktecture.IdentityServer........".
Update
You want a custom STS that supports SAML protocol and authenticates against a SQL DB?
WIF won't do this for you.
You need to look at something like Shibboleth or simpleSAMLphp but they are not .NET based.
Or take IdentityServer and add a SAML stack to it.
Refer: SAML : SAML connectivity / toolkit.
Be warned: This is not a trivial exercise!
I am developing MVC application and want to use WIF & Claim based security.
However I am very disappointed with the way login is perfomed. I mean redirection to STS login page and then redirecting back to my page. That is not user-friendly at all.
I want to implement login page in my application (it fact it will be popup dialog). Than using Web API I want to be able to perform STS request and get security token and initialize WIF infrastructure (Principle etc).
Is it a good way to go with?
Did anybody do something similar?
Does anybody have some samples of what I am trying to do?
I just worry that I don't have control over the STS login page layout & style.
Also I will have mobile application and must perform login using Web API service.
What can you advice?
Thanks
Well - you can do that of course. This does not need to be WIF specific. Call a service, pass credentials - and when OK set the login cookie.
But if you want SSO you have to make a user agent roundtrip to the STS - otherwise you cannot establish a logon session.
Consider using MembershipReboot membership provider which uses claims-based security and is not based on microsoft's traditional membership provider.
It does not have a documentation, but in the zip file you can find 2 sample projects that uses MemebershipReboot provider, which explains all you need to know about it.
In fact after reading this blog post today, I decided to use this approach in my current project. I'm still struggling with it now and I'm so excited !
In addition to Ashkan's recommendation Brock Allen provides solid documentation about how to implement MembershipReboot in association with IdentityServer. You can find that their is a way to configure a custom implementation Here. Also their are a few tutorials on vimeo from Dominick Baier (leastprivilege) that will provide a full walk through on getting started! I hope this helps!
I like the new MVC OpenID/OAuth login feature, but I want to know how to add a new login button, for example I want my users to login using their StackExchange account or using their OpenID url the same as in stackoverflow http://puu.sh/13rm0
How to do that? Are there any samples showing this in steps?
Unfortunately the API Microsoft exposes is limited to login providers that are hard-coded to a specific URL -- not one that can accept input from the user before logging the user in, which OpenID requires.
You can add support for specific OpenID providers such as StackExchange by creating a class that implements DotNetOpenAuth.AspNet.IAuthenticationClient and is hard-coded to use StackExchange. A great example of this is the source code for Microsoft's own provider for Yahoo!. Check it out, see how simple it is, then create your own that is simply hard-coded to https://openid.stackexchange.com/ instead of https://me.yahoo.com/ and you've got StackExchange login support.
Ok, second try here.. hoping I phrase my question better to get a few responses.
I am currently working on a small project developed in Grails with the Spring Security plugin to handle account management and security. I want to intercept the login function and add some custom code. The goal is to have 2 options available to the end user for registration, the default spring security/application option and the other using facebook connect.
I did notice and read up on the facebook connect features in Spring Security but to me, it doesnt seem to fit my requirements exactly. I cannot assign permissions/roles to these facebook connect users if I were to use the default facebook connect features in Spring Security. Anyone else run into this?
How can I intercept the login function? There is an auth method in Login but thats not exactly where I think I need to inject my own custom business logic. Any help with this would be most appreciated.