I have the following methods: OAuth, SAML, OpenID Connect, XACML, Shibboleth.
Do they work to authorize client to web API ? In practice, which one is the best?
Does they all support JSON?
These are different standards with different purposes.
OAuth is about delegation of authorization e.g. I grant Twitter the right to post on my Facebook account. Look into UMA (user-managed access) in addition to OAuth.
OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. It brings together OAuth and OpenID.
XACML is an access control / authorization standard based on attributes and policies. It is about defining access control policies that govern access to resources.
Shibboleth is / was a federation protocol based on SAML.
SAML is the de facto standard for identity federation across multiple enterprises.
OAuth, OpenID Connect, SAML, and Shibboleth focus on user identities, authentication, and federation.
XACML is exclusively about access control / authorization and can be used in conjunction with any of the other standards.
Whether any of these standards support JSON is a vague question. What for? SAML, AFAIK, is typically XML-encoded but the standard itself is not about its encoding. XACML usually uses XML for its policies but the access control flow can be expressed as JSON. In OpenID it is possible to use JWT, the JSON Web Token.
JSON Web Token (JWT) is a means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE)
There are 2 websites you can look into to learn more:
Ping Identity provide lots of great information on SAML, OAuth, JWT, and more.
Axiomatics provide lots of great information on XACML.
Related
I'm new to OAuth 2.0 and OpenIDConnect
I want to ask if is it necessary to implement OAuth 2.0 and OpenIDConnect for our login, register flow of our own created client application (mobile apps and server side app)?
Because I've been searching tutorial to implement login, register flow the best practice right now is using OAuth 2.0 and OpenIDConnect but their implementation is toward to securing our API against other people client application. Is this auth flow is just used to secure another people client application to access our API?
Thank you
OAuth 2.0 is both elegantly simple or extremely complex depending on your understanding of the technology and how to implement authorization.
I'm new to OAuth 2.0 and OpenIDConnect I want to ask if is it
necessary to implement OAuth 2.0 and OpenIDConnect for our login,
register flow of our own created client application (mobile apps and
server side app)?
No, it is not necessary to implement. There are many methods of authentication and authorization. OAuth is just one of the more popular methods.
A simpler and terrible method is to just implement username and passwords for your users. Simpler, in this case, is a relative term as now you need to worry about keeping usernames and passwords stored somewhere securely.
OAuth can be used to secure public access to your website, applications (REST endpoints), and more. OAuth can be used for server to server authorization. In the end, OAuth is just a method of creating a token that is presented to a service. The service verifies the access rights of that token and denies or proceeds with the request.
Authorization and Authentication are domains that require a lot of experience to implement correctly. There are many nuances to consider. That is why so many companies are breached, they do it wrong or implement weak methods. At one company I visited for an audit, I wrote down 10 usernames and passwords because everyone had yellow postit notes on their monitors. Even the best OAuth implementation will have problems with that level of security.
Just started POCing KeyCloak to hook up LDAP for user federation (really easy!) and set up a SAML Service Provider with Node.JS (took a bit more time to get the config right). See POC
Question:
Using KeyCloak as the sole Identity Provider, is it possible to set up a 3rd party service (Appian) as a SAML Service Provider, and use the SAML Username and/or Token(session_index) it receives to request an OAuth Token?
Preferably the 3rd party (trusted) service, behind the scenes, would make the OAuth request (with a client id?) to get an access token, and use the token to make API calls.
Seems like there could be two KeyCloak clients, one for SAML, one for OAuth, but then KeyCloak would be able to coordinate the auth under the covers.
You can exchange a SAML assertion (NOT its decoded contents) for an oAuth access token. This flow is described in RFC 7522 (SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants). In practice, this is an exotic use case and it's hard to implement. It assumes that the requester (client) has a way to acquire a SAML response from the IdP and wield it to grab an oAuth access token. To top it off, there are precious few IdPs that support RFC 7522 exchange. At the moment, Keycloak does not support it.
A more straightforward variation of the use case you're thinking about is an ability of a client to request any token (SAML, oAuth, ...) from an identity provider/authorization service without reauthenticating. This is possible with some providers but these mechanisms are proprietary to each provider. For example, Salesforce Identity service allows various tokens to be obtained if you send a request with a Salesforce session ID in a specific format.
OAuth terminology has been bothering me a long time now. Is OAuth Authorization as some would suggest or is it Authentication?
Correct me if I'm wrong but I have always read Authorization as being the act of allowing someone access to a resource yet OAuth doesn't seem to have any implementation that actually allows access to users to a given resource. All OAuth implementations talk about is providing a user a token (signed and sometimes encrypted). This token is then passed with every call to a back-end service endpoint where it is checked for validity, again not an OAuth concern.
Is OAuth Authentication (every article says it isn't) which I take it requires a user to provide credentials which in turn proves a user should/shouldn't have access?
So it seems that OAuth is not Authorization NOR Authentication since these have to be performed by other processes. So what the heck is it? Is it a process for communicating a token? Is it fluff word that really has no specific meaning?
It's hard to ask a question about this subject without sounding enigmatic and superstitious (ghosts and goblins) so I expect that answering this question won't be a simple thing either. Enter at your own risk.
OAuth is a specification for authorization
OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows:
The authorization endpoint is used to interact with the resource owner
and obtain an authorization grant. The authorization server MUST first
verify the identity of the resource owner. The way in which the
authorization server authenticates the resource owner (e.g., username
and password login, session cookies) is beyond the scope of this
specification.
OAuth authentication?
Authentication deals information about "who one is". Authorization deals information about "who grants what permissions to whom". Authorization flow contains authentication as its first step. It is the reason people are often confused.
There are many libraries and services that use OAuth 2.0 for authentication. It is often called "social login" and It makes people more confused. If you see "OAuth authentication" (not "OAuth authorization"), it is a solution using OAuth for authentication.
OpenID Connect
OpenID 1.0 and OpenID 2.0 are old specifications for authentication. Those who made the specifications expected people to use OpenID for authentication. However, some people began to use OAuth 2.0 for authentication (not for authorization) and OAuth authentication has prevailed rapidly.
From a viewpoint of OpenID guys, authentication based on OAuth was not secure enough, but they had to admit that people preferred OAuth authentication. As a result, OpenID guys decided to define a new specification, OpenID Connect, on top of OAuth 2.0.
Yes, this has made people much more confused.
One-sentence definitions of OAuth 2.0 and OpenID Connect
OAuth 2.0 is a framework where a user of a service can allow a third-party application to access his/her data hosted in the service without revealing his/her credentials (ID & password) to the application.
OpenID Connect is a framework on top of OAuth 2.0 where a third-party application can obtain a user's identity information which is managed by a service.
(Sorry, these definitions are excerpts from the overview page of my company)
Definitions from a viewpoint of implementors
Authentication is a process to determine the subject (= unique identifier) of an end-user. There are many ways to determine the subject. ID & password, fingerprints, iris recognition, etc.
Authorization is a process to associate the subject with the requested permissions and the client application that requested the permissions. An access token represents the association.
See Also
Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings
Diagrams And Movies Of All The OAuth 2.0 Flows
Diagrams of All The OpenID Connect Flows
The Simplest Guide To OAuth 2.0
OAuth is an authorization protocol. It is not designed for authentication. Yes, there is a step in the OAuth process where the identity server authenticates a resource owner. The way it happens does not belong to the OAuth protocol. That is why OAuth does not concern itself about authentication.
OAuth performs authorization by giving an access token to a third party (service provider) and that party will be able to authorize access to the resource by presenting the token.
Let's say there is a requirement that a service provider wants to access resources (protected by an identity server) on behalf of the resource owner. So the resource owner will first authenticate and then will grant permission for the service provider to access specific resource. Then the identity server will issue an access token for service provider. Later the service provider can access the resource with that token.
Here, OAuth does not care about who is carrying the access token or trying to access the resources. It validates the access token, and lets the third party access the resources.
I am new to security domain, so don't know whether this question is valid to be asked here. I am currently using OpenAM for the security of my web application with J2ee agent, now I find that OpenAM can do authorization with OAUTH as well as on the basis policies defined, now both openam and oauth develops tokens for valid users, and do not share user credential with the application, so how different are the two? My second question is if my application does not support oauth like google and facebook what basic things I need to do to implement oauth into my application.
OpenAM supports OAuth based authorization if that is what your confusion is about. It also supports
1) OpenID Connect
2) SAML
Your application can use either of these to get authorization from OpenAM. Your application can also use the REST APIs for this purpose. The choice is yours.
As far as the tokens go, OAuth tokens are different from OpenAM Tokens. OAuth tokens include
1) refresh_token
2) access_token
The access_token is used for making oauth based calls. However, OpenAM tokens are basically what is there in the cookie or what you get via the REST API.
Regarding your second question, to support OAuth, you would need to use a oauth client library and enable oauth on the server side (in this case OpenAM). This client library would be dependent on the language you choose to write this application.
We're building a new app that requires access to specific customer data, and OAuth appears to be absolutely perfect for our requirements - long-lived access tokens, ability to grant access to specific resources or scopes, and so on. We are not looking for 'log in with Facebook' type capabilities here; we want to expose a single, specific OAuth authentication server based on our existing customer login database, and allow web and native apps to authenticate users via this endpoint.
I've been looking at the DotNetOpenAuth code samples, and it appears that all of the OAuth 2 examples use OpenID to perform the initial authentication and then use OAuth to actually authorise access to resources.
My understanding is that you can use a 'no-op authorisation' to perform the initial authentication, allowing you to use OAuth2 for the whole process; since we don't want to support federated authentication, OpenID doesn't actually offer anything, and so I'd rather stick to a single protocol for simplicity if possible.
Is there a good example anywhere of a pure OAuth2 authentication server built using .NET? Have I misunderstood the example code supplied with DotNetOpenAuth? Or is OpenID still required for the initial authentication phase?
There's no coupled relation between OAuth2.0 and OpenId.
You can implement your custom login strategy in your OAuth2.0 implementation.
Since you gonna be the "Resource Owner"(as far as I understood your application owns the user base), you can simply replace in the DNOA authorization server sample the openid login with the standard asp.net login.
OAuth2.0 protocol simply needs to verify a user identity in order to emit an access token: how that identity will be verified is totally up to you.