reading this very good blog post (Getting familiar with IBM MobileFirst Platform Foundation OAuth Security) I learned how MobileFirst Platform (7.0 and above) has an integrated OAuth2.0 Authorization Server, which can be used to protect external resource servers.
However what I would like to understand is if it's possible to integrate MobileFirst Platform with another Authorization Server and protect MobileFirst Platform (and external) resource servers. The Authorization Server in this case would be ADFS running on Windows Server 2012R2.
This document from the Product Documentation explains how to use DataPower as OAuth Authorization Server. Can it be used also for other OAuth2.0 Authorization servers ? ( The Authorization Server in this case would be ADFS running on Windows Server 2012R2. )
IBMMobileFirst v8.0 only has support for Datapower as an external authorization server.
If you'd like to use a different AZ server, the only way I can think of is implementing the flow via a MobileFirst SecurityCheck, and have that security check call the other Authorization server.
That way you'd be using both the MFP AuthorizationServer and ADFS (So two Oauth flows, two tokens etc.).
Think of this high-level flow example:
Your resource is protected by some scope, this scope is mapped to a security check in MobileFirst server. When your client attempts to access the resource, your security check is triggered, which will then make a request to the ADFS authorization flow. Your security check would then act as a middle man between the ADFS and the client, and will be successful only when the ADFS has granted a token.
Eventually, when the MFP security-check is successful, an MFP Oauth token will be granted to the client, which will allow him to access the protected resource.
So basically your security check will act as your client against the ADFS Authorization server
A more simple way, would be to make that resource unprotected, and implement your own custom Oauth flow against ADFS - but thats not the original question.
But the plus side of the first option, is that you can always make that same scope (which is protecting your resource) be mapped to something else uninterruptedly (via the console) , like to a different security check which does something else.
For IBM Mobilefirst 7.1 (or 7.0), the flow is pretty much the same, only the terminology is different, in 7.x there are no Security checks, but you can use a Custom authenticator to get the same functionality.
Personal note - If you're not bound to using 7.x, I'd recommend doing it in 8.0
Related
I have an on-premise client-server application, which uses Google API. Until now we were happy with out-of-band flow (redirect_uri=urn:ietf:wg:oauth:2.0:oob), with manual copy-paste of authentication code, but Google is going to block it soon.
The problem is that Google requires a fixed list of allowed redirect URIs, but I do not know internal addresses of application server inside the intranets. For desktop client I just use http://localhost/xxx, but I do not know what to do with web clients.
The only solution I see is to set up a public authentication server. The client will pre-register the state token and the actual redirect uri on the authentication server before calling Google authentication. But I am not sure this is a good idea.
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
What is the correct oauth2 flow for a desktop application? Besides a desktop application I have a SPA Web GUI which does use the Implicit flow. There it does not matters if the client Redirects after 3600s to the IdP to issue a new Access token.
But the desktop application needs to be running 24/7 or could be running 24/7. So it needs to automatically refresh the access token via a refresh_token. But since the implicit flow does not provide refresh tokens it is probably the wrong flow for a desktop app, isn't it?
I guess I need the auth code flow, which does provide a refresh_token. But authentication requests needs a redirect_uri. Let's say I want to use Google as my openid provider. With google it looks like I can't register client credentials with a custom URI scheme (https://developers.google.com/identity/protocols/OpenIDConnect). What does work is to register for example http://localhost:9300, which theoretically could be handled by the app.
A
Whats the correct oauth2 flow for a desktop app to receive a refresh_token?
B
Can I catch the redirect_uri via a custom URI scheme without using the implicit flow (Google IdP)? It is way easier to listen for a custom uri scheme than listening on a local tcp port.
C
This is more a general question. Usually desktop apps are public apps, so I should not include client_secret right? So the only flow which would be left is the implicit flow. But how can I renew access tokens according to specs without bother the desktop user every 3600s?
In my case I could publish the app locally so not public, but how is it for a public app?
A - Authorization Code Grant
B - Not sure here, You can register a Custom URI Scheme
C - Not enough information provided.
Are you using the AppAuth libraries? If so you SHOULD use PKCE and then additional security measures for the refresh token should not be necessary, on the assumption that the client never sends the refresh token with anyone other than the IDP over a secure connection.
Does this help?
A: Yes use the code grant
B: yes use a custom scheme. In your case you should use the reverse of your client ID. e.g. com.googleusercontent.apps.123 is the reverse DNS notation of the client ID. Register your client as "Other" in the Google developer console.
C: Yes, it should not include the client secret. That is why you don't need to send the secret for native clients ("Other") when exchanging the code for a refresh token. Just leave that field blank and it'll work.
As suggested by jwilleke, please use an AppAuth library if it is available for your use case as it'll also handle some of the security issues (PKCE).
For native apps (Desktop), you can follow OAuth 2.0 for Native Apps. But this is still under review and you can refer the latest draft from provided link.
With this flow, you can use authorisation code flow to obtain both access token and a refresh token. Refresh tokens should solve the UX related issue when it comes to extended app usage (24/7 and beyond).
According to this working document, there are strict guidelines on client authentication. Section 8.5 discuss about them. As it says client credentials are not recommended
For this
reason, and those stated in Section 5.3.1 of [RFC6819], it is NOT
RECOMMENDED for authorization servers to require client
authentication of public native apps clients using a shared secret
Also as nvnagr has mentioned in his answer, PKCE [RFC7636] is a must to have for native public clients.
I am trying to implement:
An MVC Web API server to return content on-demand (REST Server)
A Central authentication OAuth 2.0 server (for example OWIN)
An Android end-user side Application
The Scenario is like this: Android application requests content on REST Server, if its token is expired, REST server makes a request on authentication server to identify the client. The REST server should be registered using its own [id,secret] on authentication server and then Android application should be informed to identify on central authentication server using end-user [username,password] and Android application [id,secret].
So REST server must be registered on authentication server using fixed [id,secret].
Android application must be registered on authentication server using fixed [id,secret] and end-user [username,password].
So the problem is most samples on the web use cookie based sessions that cannot be used via a REST server and a non-browser end user (at least it is not recommended). I did not find a clear example to explain the implementation of this scenario or even some part of this, all that I found were some beginner code snippets.
Thanks for your help.
I recommend you posts on Token Based Authentication and Enable OAuth Refresh Tokens from Taiseer Joudeh, wich teaches you step by step in the process to create a token based Authentication (mobile friendly, without cookies storage) and refreshtoken for managing token expiration.
Note: Don't be afraid if the post title talks about "AngularJS". You can skip this part.
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?