I have 3 web sites in my company and each has its own login page, but authenticating against same authentication ( let's say custom DB) store. Recently, we thought of implementing SSO and by having a centralized Authentication website and all these web sites will rely on this new Authentication website for sign-in. Let me call Authenticating website as IP (Identity provider) and Relying parties as RP1, RP2, RP3.
I'm aware that this is fairly achievable using SAML / WS-Fed (since all websites are asp.net based) based implementation and lot of examples are there in internet. My question is whether the same is achievable using OpenID or OAuth ? There are some scenarios where I think it may not be possible.
Scenario 1:
After I SSO sign-in in RP1 and type the URL of RP2 in browser, will RP2 know that I’m already authenticated and allow me to proceed or will I be forced to login again through IP?
Scenario 2:
Assume that I have signed in and able to navigate between RP1 & RP2, If I sign-out of RP2, and navigate to RP1, will I be redirected to login page? is Single log out achievable ?
Please click here SSO Image
I appreciate your help.
OpenID Connect is an authentication protocol that supports "true" (whatever that means) SSO.
Read about it here: https://openid.net/connect/
Scenario 1: This is never how it works - RP2 will still need to make a roundtrip to the IP to get an identity token. But the user will not see a login screen and will sign-in automatically.
Scenario 2: Single Sign-out is part of the protocol - yes.
Related
I am confused about the different login methods and the impacts on the user experience.
I would like to do native mobile app login on iOS, that means the user is not redirected toward the web page (or in app browser tab) to login. For example : All banking applications (Ex: N26) the login method is always the same : User enter his login / pwd and then he connects.
However, when I see the "Best practice login app for mobile" I can see they use authenticate + authorization code flow with PKCE. But using this method, my mobile app has to be redirected to the authorization server (Like when we want to connect with google).
So my questions are :
Is is possible to do native login using authorization code flow with PKCE without opening an in app browser tab ?
In terms of security, authorization code flow is better than native ? If yes, why all banking mobile applications are not using it ?
if the authorization server is the same than the resources server, is it possible to not have this redirection for the login ?
For now, my server use OpenID, tomorrow maybe OpenIDConnect.
Thank you for your answer :D.
Context
N26 as well as most banking apps do not support Single-Sign-On (SSO).
Auth code flow + PKCE is a way of securely having your user login with SSO, usually using a well known Identity Provider (IdP) as Google. Then, assuming your selected IdP follows the OIDC specs, you will be able to receive an idToken which will represent the user who just logged in and some of her details (called token claims) like her email, name, etc.
Answers
Auth code flow + PKCE is related only when you use OIDC SSO, not with native login.
In order to implement a native login you would have to be the "authority" who keeps the data required to authenticate users like email, password etc. Otherwise, Google (or any other IdP) is responsible for that. SSO provides better UX (as long as the redirect to the IdP is not poorly designed) and users prefer it since they are usually already logged in to their IdP, thus they do not have to remember and type credentials. However, the reason that lots of banks do not use SSO is that they do not trust Google. If Google gets compromised, the malicious party would be able to issue tokens that would allow them to impersonate anyone. Same for availability. If Google goes offline for some reason, users will not be able to login. I guess banks believe that they can provide better security and availability guarantees on their own.
Again, you need the redirection only when using SSO OIDC. If you are not using that, and end up using a native login no redirection will be needed. That being said, it is a good practice too keep your authentication server separate to your back end.
I have implemented an Identity Server4 and it looks great. Now, I have a requirement to connect a native mobile app(xamarin) to it.Most of the blogs and discussions suggest to use either "Authorization Code" or "Hybrid" flow, and the xamarin example in the github uses "Implicit" flow.
I have been through this documentation on Authorization flow and it does not talk anything about username or password.
https://identityserver4.readthedocs.io/en/release/endpoints/authorize.html
What I need is to allow the user to supply his/her username and password to the authentication server, and the server should ultimately give back the access code.
Which will be the most appropriate authentication flow for this.
There are two "mindsets" -
a) the login UI is native in the application
b) the login UI is rendered from the OpenID Connect in a browser
Generally b) is recommended - check the spec:
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-native-apps/
I also did a talk about that last year:
https://vimeo.com/171942749
If you absolutely don't want the redirect/server-based approach, then research the "resource owner password grant" - e.g. here:
https://identityserver4.readthedocs.io/en/release/quickstarts/2_resource_owner_passwords.html
But, I would not recommend it.
At my company we are developing several web applications that uses a REST API server.
First a little introduction.
The app provides the ability to manage users through the REST API and allows the users to login to the app.
Right now the REST API is for internal use only because we plan to develop more apps and communicate to the REST API as the central point of data access. We are handling the REST API authentication with a "Resource Owner Password Credentials Grant" implementation for the internal apps.
What we need is a Single-Sign on service for all the apps, we want a user to login to an app and if he/she access to another of our apps he/she will be already loged in.
We have been experimenting with the CAS protocol, with the CASino library specifically and it works great.
The problem is we don't know how to handle the flow between the apps, the REST API and the SSO service, also I don't know if there is a better choice regarding SSO services.
My questions are...
How we could handle the flow between the apps, the REST API and the
SSO service, because the REST API should be stateless it should not
communicate to the SSO service? or is there a way to communicate the
REST API to the SSO service?
Is there a better choice to implement a Single-Sign on service,
maybe OAth or OpenID and are this options suitable for REST APIs?
Thanks in advance!
Your REST API will have to talk to the SSO server to validate the Access Token, unless all the information it needs is encrypted inside the Access Token. Not sure what you mean by "flow between the apps", you should have all apps talking to a central SSO server.
When a user wants to create an account on WebApp1, the account should be created on the SSO server, either by redirecting them there or if you need a differently styled signup form for each web app, then via an AJAX call to the SSO server's REST API. I would recommend the latter as redirecting is more difficult to debug and it can make a bad user experience.
Make sure the messaging is clear, i.e. not "Sign up for a WebApp1 account", but "Sign up for a MyCompany account to get access to WebApp1".
OAuth 2.0 is very popular and people have more experience with it, so it's easier to get help or integrate with apps created by others.
The doorkeeper gem is a good server library.
OAuth 2.0 is normally used when the SSO server doesn't trust the client apps (e.g. Facebook, Twitter), but it can be implemented in such a way to skip the client authorization step (where the user is asked to approve the client app), and you can use the Resource Owner Password Credentials Grant via a REST API.
CAS is easier than OAuth. It is fairly easy to implement the basic endpoints and that way you can customize it as you wish.
I worked on a CAS-based server with a custom implementation (not sure if it was even really CAS-compliant). The authentication was done with Devise (I don't recommend Devise if you're going to customise it a lot, make your own in this case). The original flow was that the user went to the website, clicked Login/Register and then was redirected to the SSO server and after the user logged in, redirected back with a one-time ticket that the website's backend exchanged to an access token via a REST API call.
Then we added a REST API that was called from each website with AJAX. You send the username/password/captcha/etc and get back an auth token, which the site sends to its own backend. The SSO REST API can also set a cookie on its own domain, so that if the user visit another of our web apps it makes a call on pageload to check if the user is logged in. This way you're automatically logged in on every webapp without the redirect mess.
All tokens issued + the associated user info were sent to a fast Node.js app that would save them to Redis, and the app backends would call this app to validate the access tokens really fast, without putting load to the SSO Rails app.
We currently have a typical forms authentication setup in our organisation; with a login page located at something like account/login. We want to retain this but also want to start securing some of our APIs with OAUTH2 ; essentially we are the provider.
From reading a fair bit about the subject Microsoft's OWIN OAUTH implementation moving forward isn't supported (e.g. vNext) and doesnt support all the flows with OAUTH2. Thinktecture's identityserver3 seems to be the "standard" and most complete solution there is currently.
I cant seem to find an example of using identityserver3 with an existing app that requires forms authentication.
We would be looking at using it in two different ways; one using the implicit flow using javascript where we allow a third party site to call our API once the user has logged in to us (using the forms auth) and the user has allowed the client to access specific scopes.
The other use case, I think , would use the authorisation code flow ; the client would be requesting this so it can auto login (much like a login with Facebook - but login with X company) or be already logged in if logged in our site.
Any help with these scenarios would be most appreciated.
I think it will not be possible to switch your app to OAuth without changing your existing login.
I would suggest you use Identity server with custom user store(https://identityserver.github.io/Documentation/docsv2/advanced/userService.html) to use your current user database. That way your existing login accounts will be used by the identity server.
You can then secure your APIs with OAuth using the Identity server. You might need to change the way your current app call the APIs too. This means users of the current app will be redirected to identity server's login page. You can brand your login pages using custom views to make it appear similar to the curent login page (https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html)
I am developing an asp.net MVC web application that will be deployed in the cloud and should support the following authentication scenarios:
Transparent authentication for domain users on an intranet. These users should be able to access the application without signing in.
Forms login for arbitrary non-domain users on the internet. These users should be presented with a login page using Forms authentication, and membership is managed internally by the application.
Forms login for domain users on the public internet. They should be able to use the same login form as non-domain users, but sign in with their domain credentials instead.
Active Directory Federation Services (ADFS) with passive authentication can cover cases #1 and #3. Since it redirects to the federation provider's login page, it doesn't cover the #2 case. I understand active authentication by my application could possibly support all three cases, however there is not much documentation around on how this would be implemented.
Ideally there should be a way for my application to authenticate a domain username and password with the ADFS federation provider.
Does anyone know whether this is possible, and if so, how?
The standard pattern for this is ADFS with a split DNS - IWA for intranet and Forms for internet.
However, ADFS can ONLY authenticate against AD so option 2 can't be achieved.
I would suggest using IdentityServer for option 2 - you may have to customise it depending on your "flavour" of membership - and then federate ADFS and IdentityServer.
IdentityServer is free / open source.
To expand on nzpcmad's answer, you can set up Claims Provider trusts other than Active Directory in the ADFS Management console under Trust Relationships > Claims Provider Trusts, they effectively chain ADFS with custom STS services.
The entries you add will be added to the Home Realm discovery page within the ADFS web site, such that authenticating users will be presented with a drop-down list to essentially choose the Claims Provider they wish to be authenticated against.
Automatic sign-in will still work for internal users who choose your Active Directory (ADFS provider), whilst members of other Providers will be redirected to their chosen Claims Provider's web site, which will typically present a Forms login page and authenticate against a back-end membership database, all external users (who are not able to present an NTLM or Kerberos token will be required to enter their details - for AD users this will mean they have to enter their domain\user string (or user#domain) and internal password.
Of course, you have to create these providers yourself, in the old WIF days this meant using the fairly clunky Custom STS template, however you can now streamline the procedure with a simple OWIN-based MVC5 site. Alternatively, as nzpcmad suggests, you could look at using IdentityServer.