PingFederate OAuth validate access token using Apache Integration Kit - oauth

We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server?
or
are there any other libraries to do it?
One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?

You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.
However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:
"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."
mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:
OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication
OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username
OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
<Location /api>
AuthType oauth20
Require claim scope~\bprofile\b
</Location>

You may want to look at PingAccess for this need. It works alongside PingFederate to handle both browser SSO and OAuth access token validation use cases which may simplify your deployment.
It has benefits over an Apache module in that it allows for centralized administration of access control polices and centralized logout across different applications, which is a typical requirement in an enterprise environment.

For your question "Are there any other libraries to do it?". I take this to mean, is there anything else beyond mod_auth_openidc. There is another option. OAuth is a RESTful service to the PingFederate OAuth Authorization Server (OAS). If all you desire to do is validate the incoming Access Token, then you create a REST API call to the PingFederate OAS to validate the token. Within PingFederate you would need to configure an OAuth client for validation. You could integrate cURL within your application for the REST client and then call the PingFederate OAS. You would have to process the response based on your application or service requirements.

Related

OAuth2.0 without OIDC (Plain OAuth2.0)

As far as I understand, applications that we can login with our different accounts use OpenID Connect(A profile of OAuth2.0).
OAuth is for Authorization and OIDC is for authentication(It has ID Token-User Info Endpoint).
So, was it not possible to login to an application from another application account using OAuth before OIDC? (If possible, how?)
If plain OAuth can't be used for authentication, what is/was it used for?
I mean what does it do with 'authorization' exactly?
What does it get from the resource service with the access token?
I have always found the jargon around this unhelpful so I understand your confusion. Here is a plain English summary:
OAuth 2.0
Before OIDC apps used OAuth 2.0 to get tokens, and this involved optional user consent. The process of getting tokens was termed 'delegation'.
In practical terms though all real world OAuth 2.0 providers also included authentication in order for their system to be secure. How authentication was done is not defined in OAuth specifications.
OAuth is primarily about protecting data, where scopes and claims are the mechanisms. These links provide further info:
IAM Primer
Scope Best Practices
Claims Best Practices
OIDC
This just adds some clearer definition around how authentication messages before and after authentication should work:
A client simply includes an openid scope to use OpenID Connect
A client may force a login during a redirect via a prompt=login parameter
A client may request an authentication method via an acr_values parameter
The client receives an ID token (assertion) once authentication is complete, can digitally verify it if required, then use the information in it (eg a user name)
OIDC still does not define how the actual authentication works though.
Use them together
Pretty much all OAuth secured apps (and libraries) these days use both together, so that the authentication and delegation both use standards based solutions. It gives you the best application features and design patterns for doing the security well.

IdentityServer - multiple OAuth servers with compatible tokens?

Is it possible to have multiple OAuth servers, in multiple environments, produce and consume tokens that are compatible across all servers?
We have a vendor product that has an inbuilt OAuth server. We wish to perform the OAuth authentication using our existing IdentityServer on premise. We then wish for the access tokens generated via our IdentityServer to be recognised and permitted for access to the vendor product using its inbuilt OAuth.
What would be involved in producing / consuming OAuth tokens across seperate OAuth servers and environments?
It looks like you need Identity Brokering. Check the documentation of an inbuilt OAuth server and IdentityServer and search for this feature.

Spring native support for OIDC workflow

I am trying to enable OIDC authN and authZ workflow for my spring-java-web application. Ideally I wanted to do it in a IDP agnostic way.i.e.This application could be integrated with only and any one of the Azure AD,OKTA,AWS SSO,Google-auth by deployment admin.And I want users to be redirected to whatever provider the application is integrated with.
With OIDC as a standard, my understanding is i should be able to write a OIDC auth processing filter that should work with any of the providers. The necessary config that varies per provider ( auth url,client id,secret,JWKS url to get the provider keys etc) will be passed to this filter/rest template as parameters.
Q.1 Is it possible to implement provider agnostic OIDC filter? Can someone give any pointers?
I am aware that Spring natively provides Oauth2 libraries/apis like AuthorizationCodeResourceDetails, OAuth2ClientAuthenticationProcessingFilter . However I do not see any OIDC native processing filter in built. Is there any?
I tried and understood the workflow as given in https://www.baeldung.com/spring-security-openid-connect .However when i try to tweak this code to make it work with Azure AD it fails. Thats because Azure AD requires
The response_type parameter must include id_token.
The request must include nonce parameter to be set in request.
AuthorizationCodeResourceDetails does not support such param. Given that OIDC is a common standard ,
Q-2. I fail to understand why every provider still has different requirements? Doesn't it defeat the purpose of OIDC . Infact I read that google throws error if you pass nonce
Q-3. Are there any spring native ways to configure these additional provider specific params like nonce , promt, additional response-type ,preferable with examples?
I think your problems with Spring Security OIDC are that you're using the legacy OAuth library (at least that's what the baeldung article is illustrating). OAuth2 and OIDC are part of Spring Security 5.x now and not a separate project. There's an OIDC client "login-client" in this example: https://github.com/jgrandja/oauth2-protocol-patterns that might show different. Yes, OIDC should allow you to swap providers in and out although not all OIDC providers will implement everything (e.g. discovery, etc.)

Questions on OAuth 2 server in ASP.NET Web Api

Currently, I think my understanding of OAuth and how it it is implemented in ASP.NET Web Api is flawed.
1) I keep seeing OAuth described as a server (i.e. the OAuth server). Is the OAuth implementation by a Microsoft a separate server with a different port or is it just referred to as a server even though it is self contained within the API project?
2) Is OWIN separate from OAuth or are the two linked such that they must be used together?
3) How does an OAuth v2 server keep track of tokens that have been revoked or have expired? Does the OAuth component have a database that keeps track of the tokens that it issues? If so, what type of database is it?
I have been reading the tutorials by Taiseer Joudeh from bitoftech.net but I think I am missing some of the basics.
Here are my responses:
You can implement the server as a stand alone authorization server or you can implement it together with the resource server. The Visual Studio template brings you both servers together, but you can separate them. Tutorials from Taiseer Joudeh will guide you very well, they did in my case.
OAuth 2.0 is an authorization framework, as said in its definition document. And OWIN stands for Open Web Interface for .NET. Both of them are different things, but Microsoft decided to do an implementation of OAuth 2.0 protocol using OWIN middlewares architecture. Then the easiest way to develop OAuth 2.0 servers in ASP.NET is using Microsoft.Owin.Security.* libraries implemented by Microsoft.
The OAuth 2.0 protocol does not talk about keeping track of expired or revoked tokens, you could implement if you want, but you only could do if the authorization and resource servers are both the same, and then you will need to access to database to check the token for each request, that it is not necessary. If the resource server is separated from the authorization server it has no direct access to the authorization server database. Normally you don't do that. The expiration check of the token is something that the Microsoft.Owin.Security.OAuth library makes for you. If a token received by the resource server has expired, the library responds with a 401 - Unauthorized response.
To make possible that the resource server can decrypt the token, you only need to set the same machine key in both servers' web.config file.
To avoid to have long lived access tokens you could set short access token timespan and implement refresh token. In this case, you could save refresh tokens in database and you can implement some method to revoke them.
Refresh tokens and its revokation are implemented in Taiseer Joudeh blog posts too.
I hope my explanations are clear and can help you. Please tell me if you have any other doubts.

Does Ping Identity set any environment variable containing the username of the person logged in?

I am trying to use this username in my code but I do not know if it is provided in the environment variables. Thanks!
Additional information: I am using using PingFederate and Ping One.
My website is based on C sharp and it used to get the windows environment variable for username. now I want it changed to the user logged in through ping identity.Is it possible to do so and in that case which SDK should I get (I am assuming the .net integration kit right?)?
As a .NET hosted application on IIS, your application would be considered the Service Provider (SP). In this architecture PingFederate is the Identity Provider (IdP). This is a brokered authentication design pattern, or more commonly known as Single Sign-On (SSO). When PingFederate authenticates the user, a token is sent to your application that would contain the username. The code (or library) within your application would process the token and then read out the username.
Here’s a list of options that you could pursue to solve your problem:
WS-Federation protocol using the Windows Identity Foundation (WIF) libraries. The config on the PingFederate side is very simple, and you just have to integrate the WIF libraries on your side. Once the WIF libraries and associated web.config configuration is established, you read the claims object passed to your application.
OpenID Connect (OIDC) protocol using the OWIN middleware. This is also a native MS solution that leverages an open standard. It will require that you have some understanding of OWIN/Katana, as examples are not exactly exhaustive online. PingFedeate supports the OIDC protocol, which is also a very straight forward configuration.
PingFederate Agentless Integration Kit. The integration kit is installed on PingFederate and is easy to configure. It is essentially a REST interface between PingFederate and your application to provide a JSON object with the identity information including username. Your application would need to implement the REST APIs to PingFederate.
PingFederate .NET Integration Kit. This solution implements the PingFederate Opentoken solution for exchanging attributes between your app and PingFederate. The .NET code libraries for handling the Opentoken are provided to you by the integration kit, you just have to integrate them into your code baseline along with about 10 lines of code to read the OpenToken to get username. Configuration on PingFederate is simple.

Resources