I'm really new on this site. The question is:
I need to write an oAuth2 authorization server which will work in such flow -
1) ABC.com has 500 users. A user tries to authenticate on ABC.com. ABC.com redirects the user to authorization server where he fills the login form. The user logs in and is redirected back to ABC.com.
2) ABC.com authenticated user tries to open DEF.com which on his side has an authentication form.
3) ABC.com sends an authorization token for this user received from "Authorization server" to DEF.com telling that verifies this user as ABC.com employee.
4) DEF.com accepts this token and sends it to "Authorization server" for recheck.
5) "Authorization server" sends a message/token back to DEF.com with Approved/Not Approved message
6) If the user is really authorized DEF.com redirects the user to index page.
Thanks in advance for your help.
If any code example is available, I will appreciate it.
For that purpose, use OpenID Connect.
The authorization server or ABC.com should issue an ID Token and send it to DEF.com. Then, DEF.com should verify the signature of the ID token. Consult an OpenID Connect expert around you for details.
You can use existing OAuth providers like WSO2 API Manager for this.
Related
There exists OAuth extension to manage grants called Grant Management for OAuth 2.0.
It says we have to return grant_id at token endpoint and later we can use it in another authorization request.
But imagine a scenario:
The client redirect user to authorization server, receives grant_id
The user logs into another account at authorization server
The client redirects user with grant_id. Now, the user id associated with grant_id is another than id of user currently logged in authorization server.
It could be a big privacy issue if authorization server could have not checked if the user id of logged in user is another than the associated with grant_id.
But what authorization server have to do in this case? Shall return error? Force user to login into valid account? Or maybe ignore requested grant management params?
Specification doesn't say what to do in such a case and I'm really confused.
I use OAuth2.0 of identityserver3 for SSO in company, I cannot understand how does the state parameter prevent the CSRF.
I have copied the attack flow as below:
1.Mallory visits some client's website and starts the process of authorizing that client to access some service provider using OAuth
2.The client asks the service provider for permission to request access on Mallory's behalf, which is granted
3.Mallory is redirected to the service provider's website, where she would normally enter her username/password in order to authorize access
4.Instead, Mallory traps/prevents this request and saves its URL(Callback Url)
5.Now, Mallory somehow gets Alice to visit that URL. If Alice is logged-in to the service provider with her own account, then her credentials will be used to issue an authorization code
6.The authorization code is exchanged for an access token
7.Now Mallory's account on the client is authorized to access Alice's account on the service provider
I can understand step 1 to step 4. But from step 5 I got some confusion. Accordding to my understanding, in step 5 Alice visit the Callback Url when she is logged-in, and then the server just use the authorization code to access the OAuth service provider to get an openid and access token in backend, and then Alice's browser just executing login with Mallory's account and access token.What is the relationship with Mallory's browser?
Could you explain it in detail please? Thank you for taking time to read my word!
I think steps 3 and 4 are not quite right. I've edited your example to show how I think the attack works.
1.Mallory visits some client's website (e.g. https://brilliantphotos.com) and starts the process of authorizing that client to access some service provider using OAuth (e.g. Acebook - as brilliantphotos.com allows its users to post pictures to their Acebook page)
2.brilliantphotos.com redirects Mallory's browser to Acebook's Authorisation Server requesting a redirect back to itself once auth is done.
3.Mallory is redirected to the Authorisation Server, where she enters her Acebook username/password in order to authorize access.
4.After successful login, Mallory traps/prevents the subsequent redirect request and saves its URL(Callback Url with an auth code related to Mallory) e.g.
https://brilliantphotos.com/exchangecodefortoken?code=malloryscode
5.Now, Mallory somehow gets Alice to visit that URL (maybe as a link on a forum post...) note that Alice may already be logged-in to brilliantphotos.com with her own account.
6.Alice clicks the link to brilliantphotos.com and the authorization code is exchanged for an access token (access to naughty Mallory's account). If Alice is logged in then brilliantphotos.com could conceivably associate Alice's account with the newly minted access token.
7.Now if Alice continues to use the brilliantphotos.com website, the client may inadvertently be posting pictures to Mallory's account on the service provider (Acebook).
If a state parameter was maintained by brilliantphotos.com then Mallory's state code would be bound to her browser but not Alice's. Therefore brilliantphotos.com would not be able to correlate the state code with Alice's browser session when Alice clicks on the malicious URL.
Besides iandayman's already great answer, you can also get some inspiration from this blog post, or at least you can take a look into its illustration.
PS: Credit goes to original blog author.
How does OpenID Connect Authorization Code Flow work? Let's say a user made a request to app.example.com didn't have an access token or had an access token that is invalid. When the app redirected the user to authorization server: auth.example.com/authorize?response_type=code&client_id=CLIENT_ID&scope=openid&state=STATE&nonce=NONCE
Does the endpoint above have the signin screen? Or does signin happen in a separate endpoint (something like auth.example.com/signin)?
When the app redirects the user agent to the Authorization Server, the Authentication Server is supposed to authenticate the user. It can do that by presenting a login screen directly or by deferring to a separate authentication mechanism and/or server and/or screen. The authentication of the user is not prescribed by OAuth and is just something that is specific to the Authorization Server implementation. Both options are possible.
I'm trying to get OpenID working with OAuth 2 for using Google's API. I only want the user to have to "grant access" once when they login for the first time. Here is the flow I have so far:
User clicks "Login with Google"
My server signs in the User with OpenID. With federated login I receive an OAuth Request Token.
From https://developers.google.com/accounts/docs/OpenID#oauth it says the next step is to exchange the request token for an access token. However, I see a couple problems with this:
It is an OAuth 1 API call.
It requires a verifier. Don't I need the user to "grant access" to receive the verifier? How is this federated?
Thanks for any help!
You should use OAuth 2.0 based authentication:
https://developers.google.com/accounts/docs/OAuth2Login
This is also referred to as OpenID Connect.
This will redirect to your site with an authorization code. You then exchange that for an access token. You can validate the access token by calling the TokenInfo endpoint with a simple REST request. This will give you a simple userid identifier.
After, you make a call to get the detailed profile information, such as name + email, etc.
You can see more about how it works with this great demo:
http://oauthssodemo.appspot.com/
Hi I'm just getting started on the v4 CTP so I can see me posting some basic questions as I get my head around it. I want to create a service provider so I'm looking at the WCF Oauth2
The first thing is when I go to login what is the format of the OpenID for use with the provided database? What is the process for this. I assume I'll get redirected to a screen where I put my password? And that interacts with the database?
Cheers, Chris.
The sample OAuth2 Authorization Server's database merely contains a couple of sample client entries so that the sample client can make requests. It has a users table that is automatically populated by each user who successfully logs in using their OpenID. So to your question regarding the "format of the OpenID" to use, any valid OpenID 1.1/2.0 identifier will work.
The OAuth2 authorization server sample doubles as an OpenID relying party in this respect, but its OpenID functions aren't the meat of the sample -- there are other sample OpenID RP sites that demonstrate more functionality in that respect. But being that OAuth2 auth server and OpenID RP are coupled in this way, the flow is that:
User visits OAuth2 Client site and indicates to the client that it may request access to user's data on the resource server.
Client redirects user to authorization server so the user may grant permission.
Authorization server prompts the user to log in, if not already logged in.
User enters OpenID
Authorization server redirects user to their OpenID Provider to log in using some credential (username/password, infocard, etc.)
OpenID Provider redirects user back to authorization server.
Authorization server sample then asks the user "do you want to share resource [x] with client [y]?" User confirms.
Authorization server records that user authorized client [y] to access [x] so that future requests from that client for that resource may be auto-approved without user intervention.
Authorization server redirects user back to Client with authorization grant.
Client receives the grant along with the user redirect and uses a direct HTTP request to the auth server to exchange that grant for an access token (and possibly a refresh token).
Client then includes the access token in HTTP requests to the resource server to access the user's private data.
I hope that helps.