We are already using CAS for single sign on for several web applications that we are hosting. Now we are going to deploy several HTTP/REST services in our network and those need authentication and authorization.
Would it be a good idea to combine CAS with OAuth ?
Users would still use CAS for SSO, but additionally login procedure would issue OAuth ticket that would be used to access REST services.
REST services can be protected via CAS proxy authn. Additionally, they can be integrated with OAuth. CAS provides both OAuth and OIDC protocol functionality as well.
That's certainly valid. OAuth 2.0 doesn't specify/dictate how the user (Resource Owner) is authenticated and CAS/SSO is fine for that. Effectively you'd be leveraging a CASified Authorization Server so that the Resource Owner authenticates with CAS to the Authorization Server, which is "just" an application to the CAS SSO system. The Authorization Server would then issue an access token down to the Client so that the Client can use that access token to access the protected resources i.e. the REST services.
Related
We have an MVC application (<myapp.somedomain.com>) .net 4.5.2 (OWIN/ADAL) that uses ADFS2016 for AuthN/AuthZ via OIDC/OAuth2. Users' credentials and attributes are stored in AD LDS. A client (X) requested to authenticate in the application via their IdP over SAML2. Is this possible WITHOUT making changes to the application?
The flow I am looking for; for this client the app’s URL would be (<myapp.somedomain.com/?client=x>). Our ADFS would recognize and redirect the client to their IdP where they would authenticate and than they would be send back to our ADFS along with some predefined claims. Our ADFS would map these claims to an Id Token / Access Token for our application to use. Am I dreaming or is this indeed feasible?
Any links to articles / documentation on how this could be achieved would be most helpful.
As #Wiktor suggests, you could add a SAML client-side stack to your app.
The other way is to federate ADFS with the SAML IDP.
When the user is redirected to ADFS, they use Home Realm Discovery to either redirect to the SAML IDP or authenticate on ADFS directly.
ADFS should handle the token conversions but you may have to fiddle around with the claims rules.
I'm struggling theese days on the possible way to configure an Authentication + authorization system to consume a REST API from a mobile application.
Scenario:
We've developed 3 independent portals for a big customer that serves several users.
To enable a SSO for the 3 portals we've implemented a SAML authentication system using SimpleSAMLphp.
Every portal has a service provider and they make assertion requests against a central IdP.
The IdP checks username and password against a database where passwords are hashed and stored during registration.
After the login, the authorization on the portals is handled by the session on the server, and so far everything was fine.
Now the customer asked us to develop a mobile application that will require the users to login and access several of their protected resources collected during the usage of the 3 portals.
We've decided to develop a frontend application using ionic that will consume a REST API made in node.js that will serve all the data (both protected and unprotected resources).
Now here comes the question: to authorize access to protected resources on the Api we'd like to use JWT to easily achieve a stateless system.
The doubt is how to perform the authentication? We've the opportunity to check the credentials directly against the database skipping the SAML process, otherwise we've to implement a solution where the SSO IdP acts as authentication provider and then when an attempt is successful the API app will get the response from the idp and then issue a signed jwt to the consumer client. Is this second way a common implementation? Is it possible?
What path do you suggest to follow? The first could be very easy to achieve, but since we're using html+js for the app's frontend, if we decide to use the second solution probably in the near future we could recycle some code from the app to modernize some functions on the web portals, maintaining the jwt pattern and consuming the new Api also on the web.
I believe that in this case will be easier to ask a token to the new api using someway the logged in user's data already in the session of the portal. Sounds possible?
I hope that everything was clear, any help will be appreciated!
Thanks
The key goal here is to code your apps in the best way, via
the latest security standards (OAuth 2.0 and Open Id Connect).
SAML is an outdated protocol that is not web / mobile / API friendly, and does not fit with modern coding models.
Sounds like you want to do OAuth but you do not have an OAuth Authorization Server, which is a key part of the solution. If you could migrate to one you would have the best future options for your apps.
OPTION 1
Use the most standard and simple option - but users have to login with a new login screen + credentials:
Mobile or Web UI uses Authorization Flow (PKCE) and redirects to an Authorization Server to sign the user in
Mobile or Web UI receives an access token after login that can be sent to the API
Access token format is most commonly a JWT that the API can validate and identify the user from
The API is not involved in the login or token issuing processes
OPTION 2
Extend option 1 to federate to your SAML Identity Provider - enables users to login in the existing way:
The Authorization Server is configured to trust your SAML based identity provider and to redirect to it during logins
The SAML idp presents a login screen and then posts a SAML token to the Authorization Server
The Authorization Server issues OAuth based tokens based on the SAML token details
OPTION 3
Use a bridging solution (not really recommended but sometimes worth considering if you have no proper authorization server - at least it gets your apps using OAuth tokens):
Mobile or Web UI uses Resource Owner Password Grant and sends credentials to a new OAuth endpoint that you develop
OAuth endpoint provides a /oauth/token endpoint to receive the request
OAuth endpoint checks the credentials against the database - or translates to a SAML request that is forwarded to the IDP
OAuth endpoint does its own issuing of JWT access tokens via a third party library (if credentials are valid)
Web or Mobile UI sends JWT access token to API
API validates received JWT access token
I keep hearing OpenID is for federated authentication where as OAuth is for delegated authorization. Is OpenID just the initial step of OAuth involving a redirect to the identity server ? If so why cannot I use OAuth for authentication ?
Open id and Oauth are two different things.
OpenID is about authentication (ie. proving who you are), OAuth is about authorization (ex. I grant your application access to my Google drive account. When your application is accessing my drive account there is no guarantee that it is me preforming the action.).
OAuth is often used in external sites to allow access to protected data without them having to re-authenticate a user.
If so why cannot I use OAuth for authentication ?
Because Oauth knows nothing about who is preforming the task. It could be an application running in the background.
We have a web portail using some exposed API from a service desk application to create and list tickets. oAuth 2.0 is used to authenticate the requests through Google server. Below is the roles of the differents components :
Google oAuth 2.0 : Authentication server
Service Desk application : Resource server with exposed API
Client : Web portail
Which oAuth fow i have to use to authenticate the requests from the client to the resource server ? I think it's the client credentials.
How to check when the resource server receives a request that the request is authorized and can access the resource ? Currently, the resource server checks the access token provided with the request through the authorization server Google (using the API useremail endpoint), then, the resource server checks locally in a file if the client_id is declared.
Any help will be welcome
Thanks
If you want to keep the token at the web portal, you probably want to use the Implicit flow. The Resource Owner Password Credentials flow has some problems:
It requires a client password, which cannot be stored safely in a browser,
Your web portal gets the username and password (of a portal user), which is not good from the security standpoint
You cannot handle authorization of your own application (Service Desk) using Google access tokens, because they contain only Google-related scopes (for accessing Google services and resources). You can either do it locally - have some mapping between Google users and local roles or to have your own OAuth2 server with your own scopes that accepts Google authentication (for example KeyCloak).
I don't quite figure out why oauth2 is for autheorization and OpenID Connect is for authentication purposes.
From OAuth2 RFC
authorization server
The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.
By other hand, according Authorization Code Flow RFC Agent or relying party is redirected to a some kind of authentication page in order to be able to authentication user, doesn't it?
Moreover, I've always read that OpenID Connect in built on Oauth2 in order to provide authentication mechanism to Oauth2. Is it right?
OAuth2.0 is an authorization protocol. OpenID Connect incorporates id tokens to add authentication on top of it
authorization server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Here the authentication is done for the authorization server, not for the relying party. Authorization needs to identify the end user and for that only the authentication used.
Once the authorization server authenticates the end user, it sends back access token which can be used to communicate with a protected endpoint. And the access token authorizes the relying party to use the protected service.
Access tokens never say anything about the end user. They are opaque to the RP and can only be consumed by the authorization server. But id token is a JWT with end user details. That's why I said OpenID Connect provides authentication.
How to choose between OAuth2.0 and OpenID Connect ?
There are many facts you need to consider. Which include the question of "does identity provider support protocols?". But, it all boils down to the fact of how you consume tokens.
If your client application simply allows the end user to consume protected endpoints and does not bother about their identity details, you should use OAuth2.0.
But if your client application is concerned about identifying end user and authenticating them(think about client application's other functionalities such as a database call or even a welcome message which require those) then you should use OpenID Connect.