What are some real-world scenarios for 2-legged OAuth?
Is it only applicable for mobile/desktop apps?
2-legged OAuth (aka. the Client Credentials flow in OAuth 2.0) is useful when a client wants to access certain resources without disclosing its primary client credentials to the resource API. The client would authenticate to an Authorization Server to get a derived token that it can present to the resource API to get access to the protected resources.
Getting the token and presenting it is done in a standardized and interoperable way without pestering the resource API with different authentication mechanisms. It also makes revocation of access easier because that is controlled in a centralized fashion on the Authorization Server, independent of the client's primary credentials. See also: How does 2-legged oauth work in OAuth 2.0?
It is applicable across mobile, desktop and web applications although keeping a client secret in mobile and desktop applications is arguably hard so it is most suitable in server-side environments.
A real world scenario is a batch script that fetches data from a remote API and processes it.
2 legged auth is for server to server authentication on behalf of the application with no end-users involved.
For example, your application on Google AppEngine makes a request to Datastore (Database from Google Cloud). This uses 2 legged auth with JWTs.
Instead, if your application makes a request on behalf of the end user to read the user's Google Drive files, 3 legged auth is used.
Related
We are planning to use OpenID Connect / OAuth2 to handle access to a list of resource servers.
We want to use JWT as access token when a user is going to call one of the resource servers. The access token will be issued by an auth server in our landscape according to OpenId Connect / OAuth2 standards. Access will be granted or rejected to the calling user based on the JWT access token.
The standards are new for us so we are still reading and understanding.
We are currently searching for an option to do a lookup of the resource servers with a call to auth server. We would like to use it in order to simplify the clients.
Is there any option available in OpenId Connect / OAuth2 to help clients finding the available resource server? Is there any endpoint available in auth server to do that? Or can the answer with the JWT be enhanced to return the list of the resource servers?
Thanks in advance
Thorsten
With the use of JWT, there is no need to go for one extra validation from the authorization server. Token & its claims should be enough to validate the access rights. You can customized the token claims as per the needs.
An Authorization Server does not know the list of APIs, since APIs are not usually registered as clients. There are some related concepts though. The IAM Primer article has a good overview on how these concepts fit together.
Each API covers an area of data and this maps neatly to the OAuth Scopes included in access tokens.
Each API has an audience, such as api.mycompany.com, which maps to the aud claim in an access token. This can enable related APIs to forward the same access token to each other and securely maintain the original caller's identity.
An API gateway is usually hosted in front of APIs, as a hosting best practice. This enables clients to use a single, easy to manage, API base URL, such as https://api.mycompany.com, followed by a logical path.
I'm struggling theese days on the possible way to configure an Authentication + authorization system to consume a REST API from a mobile application.
Scenario:
We've developed 3 independent portals for a big customer that serves several users.
To enable a SSO for the 3 portals we've implemented a SAML authentication system using SimpleSAMLphp.
Every portal has a service provider and they make assertion requests against a central IdP.
The IdP checks username and password against a database where passwords are hashed and stored during registration.
After the login, the authorization on the portals is handled by the session on the server, and so far everything was fine.
Now the customer asked us to develop a mobile application that will require the users to login and access several of their protected resources collected during the usage of the 3 portals.
We've decided to develop a frontend application using ionic that will consume a REST API made in node.js that will serve all the data (both protected and unprotected resources).
Now here comes the question: to authorize access to protected resources on the Api we'd like to use JWT to easily achieve a stateless system.
The doubt is how to perform the authentication? We've the opportunity to check the credentials directly against the database skipping the SAML process, otherwise we've to implement a solution where the SSO IdP acts as authentication provider and then when an attempt is successful the API app will get the response from the idp and then issue a signed jwt to the consumer client. Is this second way a common implementation? Is it possible?
What path do you suggest to follow? The first could be very easy to achieve, but since we're using html+js for the app's frontend, if we decide to use the second solution probably in the near future we could recycle some code from the app to modernize some functions on the web portals, maintaining the jwt pattern and consuming the new Api also on the web.
I believe that in this case will be easier to ask a token to the new api using someway the logged in user's data already in the session of the portal. Sounds possible?
I hope that everything was clear, any help will be appreciated!
Thanks
The key goal here is to code your apps in the best way, via
the latest security standards (OAuth 2.0 and Open Id Connect).
SAML is an outdated protocol that is not web / mobile / API friendly, and does not fit with modern coding models.
Sounds like you want to do OAuth but you do not have an OAuth Authorization Server, which is a key part of the solution. If you could migrate to one you would have the best future options for your apps.
OPTION 1
Use the most standard and simple option - but users have to login with a new login screen + credentials:
Mobile or Web UI uses Authorization Flow (PKCE) and redirects to an Authorization Server to sign the user in
Mobile or Web UI receives an access token after login that can be sent to the API
Access token format is most commonly a JWT that the API can validate and identify the user from
The API is not involved in the login or token issuing processes
OPTION 2
Extend option 1 to federate to your SAML Identity Provider - enables users to login in the existing way:
The Authorization Server is configured to trust your SAML based identity provider and to redirect to it during logins
The SAML idp presents a login screen and then posts a SAML token to the Authorization Server
The Authorization Server issues OAuth based tokens based on the SAML token details
OPTION 3
Use a bridging solution (not really recommended but sometimes worth considering if you have no proper authorization server - at least it gets your apps using OAuth tokens):
Mobile or Web UI uses Resource Owner Password Grant and sends credentials to a new OAuth endpoint that you develop
OAuth endpoint provides a /oauth/token endpoint to receive the request
OAuth endpoint checks the credentials against the database - or translates to a SAML request that is forwarded to the IDP
OAuth endpoint does its own issuing of JWT access tokens via a third party library (if credentials are valid)
Web or Mobile UI sends JWT access token to API
API validates received JWT access token
There is a food ordering system. There are around 12 or 13 APIs.
The end-user can search for restaurants, foods, filter things, etc. without logging in to the system. The login is only necessary for placing an order, see past orders etc. So, for like 10 APIs I don't need the user to login.
10 APIs (need to verify the third-party)
The rest (need to verify the third-party as well as the user)
The oAuth 2.0 solutions I have seen so far, they instantly asks for the users to login which is something I don't want.
It'd be really helpful for me if someone takes the time to explain a possible solution and how all those could fit together.
If no Authentication is required, then the information is "Public" and does not need protection from OAuth 2.0.
It would not be unusual for a APIs to be called by a WEB Application where the WEB Application needs to use OAuth 2.0 to access the APIs, but the end-user has no relation to the APIs. So the WEB Application needs an OAuth 2.0 client_id for access to the APIs. The client credentials grant is designed for this use-case: (RFC 6749 Section 1.3.4)
when the authorization scope is limited to the protected resources
under the control of the client ... when the client is acting on its
own behalf
The WEB Application may then at some point use OpenID Connect to Authenticate the end-user for access to some of the "protected resources".
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?