Spring boot microservice with OAuth 2 and JWT for Security - oauth-2.0

I am developing a Spring boot application for payment using microservices, which will be consumed by mobile application and web application.
1) Users need to be authenticated for accessing the mobile app
2) Third party mobile apps using my services need to be authenticated (with my app)
3) Web applications using my services need to be authenticated.
My user details will be there in DB or LDAP. I have plans for integrating IBM API management and the deployment will be in on-premise servers. Based on this requirement how I need to design and implement my solution?
After going through different blogs I am confused now. So a proper guidance will be very helpful for me.

Your question is a bit vague or too broad, but ...
Using LDAP does not scale well, consider using NoSQL alternatives as those are closer to the principles of microservices.
See:
Microservice Authentication strategy
http://presos.dsyer.com/decks/microservice-security.html#slide6
https://www.quora.com/Microservices/How-do-I-handle-authentication-in-a-microservices-architecture-with-the-front-end-decoupled-too

Related

Spring Webflux + LDAP/Kerberos Security

I got a Spring Boot 2 Reactive Web Application that currently has a JWT-based authentication system. Now I would like to add a LDAP backend for authentication and allow Single-Sign On (SSO) via Kerberos.
It seems Kerberos and LDAP support is currently limited to webmvc and no dedicated reactive version is available.
Since documentation about integrating all 3 components (WebFlux, LDAP + Kerberos) together in one application is quiet rare I would like to ask if someone of you already took the attempt to set-up such an infrastructure and is willing to share an example how to do.
I ran into the same issues with SAML. I haven't seen any progress on porting these sub projects to be supported in a webflux environment. The obvious approach seems to me to rewrite all servlet filters to WebFilters.

IdentityServer4 with webforms & multi-tenanted environment

We are a new tech team that has inherited a webforms app. We are planning on building out an internal API and would like some guidance for implementing it with our existing app.
Ideally we would like an independent app hosting the identity server, and both internal APIs and webform app would call it. However, we host hundreds of websites on a single platform in a multi-tenanted setup.
Can we use IS4 with webforms?
Can you give some guidance around multi-tenanted setups?
Can we use cookie based authentication in the webforms app and use the same token for delegated access when communicating with the api?
Have I missed anything obvious?

Basic Identity Provider in Ruby

I'm going to be undertaking a large project for a client of mine. I need to write an IDP (identity provider) that will handle single-sign-on to multiple apps by a number of different authentication methods (such as SAML, OAuth, Form-based auth, HTTP Basic auth). I'd also need the ability to add in additional types of authentication as the app grows.
The basic idea would be that we'd have three different components to the app. One would be the IDP. Another would be a data-store that contains user accounts, the apps they want to use, etc. The third would be a GUI front-end that allows users to sign into apps.
It seems that there are some existing gems that handle authentication, like https://github.com/onelogin/ruby-saml and https://github.com/intridea/omniauth. My question is, am I overcomplicating this project -- would I just be able to use existing gems like these to act as the IDP, or is this a project where I'd need to read specs and implement them myself in Ruby?
Using something like SAML toolkit for Ruby on Rails adapted to work with ADFS server, you can integrate with ADFS. Now you can leverage ADFS features:
Interface with Facebook etc. via Azure ACS
Interface with Azure Active Directory and hence SSO to SaaS applications
Azure Active Directory Multi Factor Authentication
BYOD via the Web Applications Proxy
OAuth on ADFS 3.0
and so on. The list is expanding all the time.
Once you hook into these standards. you just inherit all the new features as they are released.

Silverlight 4 - MVC 2 ASP.NET Membership integration "single sign on"

Scenario:
I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.
The site includes a Silverlight 4 application that needs to securely call internal web services.
The web services also need to be publically exposed for third party authenticated access.
Challenges:
Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.
Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.
Additional details and limitations:
This application is hosted in Azure.
We would rather NOT use RIA Services if at all possible.
Solutions Under Consideration:
I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).
For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...
Questions:
Can anybody point me towards any sample applications that implements something like this?
How would you recommend implementing this solution?
You can extend WCF to use Membership as authencation store and reuse the FormsAuth Cookie (send by the MVC site) to the browser by the Silverlight app.
I would recommend using an STS with Windows Identity Foundation so you can have your app use claims identity and then change authentication outside the app. For third party you can use Windows Azure Access Control Service (ACS). We are updating our guidance on this and you can look at the new code to show you how to do this at our codeplex site. The original book is available at Amazon. I would focus on the updated guide because it has ACS has websites and an active client talking to WCF. The client is WPF but it would similar for Silverlight.

How do I integrate SAML into my Rails Application?

I have a rails app that is currently an affiliate site with my customer's SSO Identity Provider. Currently it uses the CA SiteMinder Affiliate Agent, which is an apache module. The underlying SSO architecture is abstracted away and my Rails app only has to parse and HTTP Header to receive the values from my customer's Identity Server. I now have to convert my site away from the SiteMinder Apache Module and use SAML. Does anyone have experience with how this should be implemented? Is there an Apache Module that can continue the abstraction I'm used to now, or will my Rails application be responsible for parsing the SAML assertions?
OpenSAML is a library - it's not really a replacement for Site Minder. Perhaps you're thinking of OpenSSO. It is an open source product very similar to Site Minder that supports SAML and Apache.
My team implemented the SAML protocol in Ruby and it worked well. The were some minor hiccups in using some libraries to compute hash values, but it worked. I'm not sure if there is a better plug and play solution by now, but understanding the SAML authentication process and implementing our part only took a few days.

Resources