I am writing a REST-API for X1 and X2 application of Company-X.
In order for user to access and login to X1 and X2 they should have a valid Company-X account, like how you need google account to use gmail and google+. In short, X1 and X2 has no authentication in itself, it use Company-X Identity Provider (IP) to have authenticate and have a session.
In OpenID Connect (OIDC) terms, X1 and X2 will be the Relying Party (RP). X1 is a User-agent, X2 is a server. Company-X IP contains authorization server and the resources (protected REST-API).
Am I right to choose those grant types? (See legend of the diagram)
Is this the recommended architecture for this case? (1st party application with centralized account for login and will IP for 3rd party app in the future)
The selection of grant types is primarily performed by looking into the following aspects:
The type of the client application
What resources the client application wants to access
In the first point one of the things to consider is the environment in which the client application runs:
browser-based -> implicit grant
server-side -> authorization code grant and/or client credentials grant
native application -> mostly implicit grant, but authorization code grant may also be considered
Based on this and what you described, the selection of implicit grant for RP X1 seems appropriate.
In relation to RP X2 it's not so clear-cut and we should review it from the perspective of which resources this application wants to access. Being on the server-side this application is capable of maintaining secrets and as such eligible for client credentials, however, this grant is suitable when the application wants to access resources that are associated to the application itself and not to a specific user.
If this application is going to access resources associated to a Company-X user account then it should use the authorization code grant.
The next diagrams illustrate this substantial difference between the client credentials grant and all the other grants. As you'll notice, there is no separate resource owner involved (in theory the resource owner is the client application itself).
Client Credentials
(source: Client Credentials Grant)
Authorization Code Grant
(source: Authorization Code Grant)
In relation to the architecture from my perspective it seems to be the correct approach. It uses public standards and caters for your requirements so I highly doubt it there are better alternatives. The big issue with authentication systems is not the design phase, it's the implementation itself, especially considering that making it "work" takes about 20% of the effort and the remaining 80% is ensuring that you didn't mess up.
Related
Every so often I hack up my own projects to solve my own problems. Sometimes I want to use data from a service. This access is often provided by oauth.
oAuth solves a more general problem than I want to solve. It lets a programmer request that a user provides data via a website. In my case I am the user and the programmer, and I don't really want to implement the website.
Is there an easy way for me to grant myself access to my own data without writing a website?
Resources
This diagram from this blog post [http://www.bubblecode.net/en/2016/01/22/understanding-oauth2/] gives a good overview of oauth.
Only if I understand your flow correctly, I think you should use the password grant type (see here).
Because you use google authentication server (google account) and resource server (e.g. gmail). You use the client app (maybe you write it yourself) so you sign in with username and password, so Password is your preferred grant type.
In this flow:
The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token.
The user’s password is accessible to the application!
Should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application)
It is used for only highly-trusted clients, such as a mobile application written by the resource-server.
All OAutt Authorization code flow examples I've seen sends the user to a specific login page provided by the IDP Server (Identity Provider Server).
https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
I'm wondering can the login page be on the client itself, as in through an APP or SPA? Or is this something unsecure which I am not aware off. Thank
Usually it is standard to redirect as you say, but security also depends on the credential being used:
If a user is signing in via their Google password then your app should definitely never see the credentials and you should always redirect
If the user is signed in via a password stored at Company X, to only access data stored at Company X, and the password is not used for any other purposes, then it is less bad, since the company owns all of the assets involved
People who avoid redirecting usually end up using a deprecated flow such as Resource Owner Password Grant. I would avoid that, since it will not fare well in security reviews and restricts your future authentication options.
To be on the safe side I would recommend sticking to the redirect model, and using a login method provided by the Identity Management System vendor.
FUTURE DIRECTION
Interestingly, there is an emerging trend from some vendors to remain within the app when that makes sense. See the Hypermedia Authentication API, which may become a standard. A key characteristic of this is that the Authorization Server continues to govern security and tell the app what to do.
I'm building a new application platform using Microservice Architecture but I've been reading alot about different kinds of Authentication/Authorization to use.
I'm settling for OAuth2/OpenID Connect but just to make sure my assumptions is right.
I like to know if my flow is right to handle the authentication/authorization of my application.
Secondly, for my trusted Apps, how can I prevent OAuth from asking user for consent ?
In terms of protocols/standards, going with OAuth 2.0 and OpenID Connect for a system like the one you described is the right decision. They are in active use, have plenty of library and third-party providers support and they were also designed taking in the consideration the heavy reliance on HTTP that present day systems exhibit.
In terms of choosing the correct flow for each application the decision is not influenced by the application being perceived as a third-party or trusted application; it's more about the deployment characteristics of the application and also if the applications wants to access resources on behalf of an end-user or on behalf of the application itself.
Check Auth0 - Which OAuth 2.0 flow should I use? for a good illustration of this decision process.
The distinction between third-party application and trusted application is something left at the discretion of the identity provider/authorization server. This is usually supported so that consent is not explicitly asked to an end-user if the application is trusted; in these cases flagging an application to skip end-user consent is seen as an administration step where someone unilaterally and administratively decides that consent was granted to this application and as such it's not necessary to ask for it to end-users.
If you do indeed decide to support administrative consent for some application have in mind that if the characteristics of these applications don't allow them to be confidential clients (support a secure mechanism to authenticate the client application itself) or have some other way to ensure the client identity then an hostile application may try to fake a trusted application in order to skip the user consent step.
I would like to provide some standarized SSO mechanism in my application (some different clients, growing number of services in the backend). I am wondering if OIDC/OAuth 2 is the right tool for it.
In all examples I have seen, end user is the Resource Owner and it grants permissions (or not) to some external apps by redidericting to a page asking for permissions.
My use case is different, I want to use OAuth inside my system (for apis, web pages etc.): resource owner is i.e. some service with database (plus administrator who have access to it), end user tries to get some resources from the system. User cannot grant anything, he can be granted. I think it's the most classic scenario, which can be named Single-Sign-On. Is there any standard flow for this in OAuth 2 (or preferably OpenId Connect)? Is it achievable? Or am I looking at a wrong tool?
OIDC/OAuth can be used for both consumer as well as enterprise scenario's. The consent steps of OAuth are useful in consumer oriented scenario's. When dealing with enterprise scenario's like yours, there's no point in asking consent since it is implicit, at least for the enterprise's apps. That is certainly covered by OAuth/OIDC: the Authorization Server is not required to ask for consent and can (typically) be configured to skip that step for particular Clients. So: using OpenID Connect without consent would be suitable.
For your usecase you can use combination of OpenID Connect and OAuth Client_Creds flow. For example suppose you have a HRMS application which needs to get the employee data to show to the employee from some DB.
Register HRMS with OPenID Provider
Register HRMS as Client to OAuth Server (OpenID Server and OAuth Server can be same)
When User comes to HRMS application:
a. Check for Id_token cookie, if not present then redirect to IDP
b. IDP authenticates and if successful redirects back to SP with ID token
c. If token is valid then SP sets the token as cookie in the browser using another redirect to itself but to the home page
Now All processing will be server side:
a. HRMS app hits the IDP to get the User Data
b. If successful then it hits the OAuth Server to get the access_token
c. if successful then it uses the access_token to talk to DB Service and
get the data
SP=Service Provider, IDP = Identity Provider
Actual flow can be a little different based on security considerations.
Hope this makes it helps.
Why would anyone use OAuth 2 with this kind of grant? I mean, if the client already has the name and password of the Resource Owner, why not just authenticate as the Resource Owner using whatever authentication vehicle is used by the Resource Server?
I do not understand the rationale here. Can someone explain it?
As the spec mentions, the Resource Owner Password Credentials grant is for migration purposes and applicable only in scenario's where (typically) the Client and the Authorization Server are controlled by the same party, https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3:
The resource owner password credentials (i.e., username and password)
can be used directly as an authorization grant to obtain an access
token. The credentials should only be used when there is a high
degree of trust between the resource owner and the client (e.g., the
client is part of the device operating system or a highly privileged
application), and when other authorization grant types are not
available (such as an authorization code).
It allows for utilizing a standard token and protocol on the leg between Client and Resource server (e.g. OAuth 2.0 Bearer Token), whilst using a "to-be-deprecated" way of getting a token between Client and Authorization Server. https://www.rfc-editor.org/rfc/rfc6749#section-10.7:
The resource owner password credentials grant type is often used for
legacy or migration reasons. It reduces the overall risk of storing
usernames and passwords by the client but does not eliminate the need
to expose highly privileged credentials to the client.
This grant type carries a higher risk than other grant types
because it maintains the password anti-pattern this protocol seeks
to avoid. The client could abuse the password, or the password
could unintentionally be disclosed to an attacker (e.g., via log
files or other records kept by the client).
Additionally, because the resource owner does not have control over
the authorization process (the resource owner's involvement ends when
it hands over its credentials to the client), the client can obtain
access tokens with a broader scope than desired by the resource
owner. The authorization server should consider the scope and
lifetime of access tokens issued via this grant type.
The authorization server and client SHOULD minimize use of this
grant type and utilize other grant types whenever possible.
I will provide another point of view.
OAuth 2.0 is a great protocol for common web applications. Some applications, however, use much stronger authentication / authorization mechanism. For these cases, it makes sense to allow token establishment using a strong method. An example of such application can be a banking API - it can use classic OAuth 2.0 flow on web (using bank's website) and strong data signatures using protocols like PowerAuth 2.0 (I am an author of this solution) for native mobile or desktop apps.