I'm helping a client use OAuth for JIRA that is linked to a Crowd user DB. Whenever the user tries to oauth against the JIRA authorisation endpoint they are redirected to their dashboard.
How do you do OAuth with JIRA when there is a Crowd User DB?
So after much hair pulling, I worked out what was going on here. The fact that Crowd was being used was a red herring. The problem was with the OAuth Redirects when you have different DNS details for the JIRA server externally to the network and externally to the network.
During the Oauth process the server which is external to a network requests a token from a JIRA server. It then goes to exchange that token for an authorised one by redirecting the browser to the JIRA Oauth authorisation endpoint.
However, in this case the endpoint is using the external host for the JIRA server and not the internal one so the browser can't find the server or cannot access the server due to the firewall.
There are several possible fixes for this:
Update the computer host file so the external DNS points to the right server internally
Use split horizon DNS
Update the server to support both external and internal URLs for the JIRA server
Related
I have an on-premise client-server application, which uses Google API. Until now we were happy with out-of-band flow (redirect_uri=urn:ietf:wg:oauth:2.0:oob), with manual copy-paste of authentication code, but Google is going to block it soon.
The problem is that Google requires a fixed list of allowed redirect URIs, but I do not know internal addresses of application server inside the intranets. For desktop client I just use http://localhost/xxx, but I do not know what to do with web clients.
The only solution I see is to set up a public authentication server. The client will pre-register the state token and the actual redirect uri on the authentication server before calling Google authentication. But I am not sure this is a good idea.
The 'Resource Server' referred in the OAuth concept, would it be a Web server or App server ?
Vague question get vague answers.
Yes and no and maybe both.
There are many different architectures in use. (Some not so well done)
OAuth is a protocol for delegation of Authorization. Often the ONLY WEB server has a relationship with then end user and the App server only has a relationship with the WEB Server.
So one might use OpenID Connect for the user<->WEB Server relationship and OAuth for the WEB server<->App server.
As an example, assume you operate a Weather service. The user Authenticates to you WEB Server using OIDC. Now that the WEB server (ie OAuth Client) knows who the user is, it then uses OAuth to obtain the Weather from the (possibly third-party) App server. The App Server only needs to know the ZipCode for the user to get the weather and not require any Authentication of the end-user.
Let me know how I can help.
I'm interested in implementing an OpenID Connect RP for a web application running behind nginx, potentially using oauth2_proxy. Does oauth2_proxy support this out of the box or will additional OpenID Connect features have to be added?
oauth2_proxy has a pull request for OpenID Connect configuration discovery, but I was unable to make it work; it seemed like it wasn't getting valid json back from the https:// request. An alternative would be to code your provider's configuration in the same way that oauth2_proxy already supports Facebook and Google.
I'm not sure whether oauth2_proxy supports anything besides the authorization code flow; you get redirected to Google login, back to your server, and it sets an oauth2_proxy specific cookie to keep you logged back in to your own server.
I am looking for fittings ends to our SSO puzzle.
Currently we have an OpenLDAP behind WSO2 Identity Provider. A client (Service Provider) redirects authorization to the IP (OAuth2) and recieves an access_token.
All fine.
Next step is to validate this token on another Service Provider, in this case a reverse proxy (Apache or Nginx) residing on another EC2 instance, which protects a number of unprotected 3rd party applications (3rd party in the sense that we can't touch source code, but do the hosting our selves). Which tools do serve this request?
Am am aware that the OAuth2 spec leaves a hiatus here and that there is draft which adds a /introspect call to validate this token. I also know that pingidentity implements this draft as part of there Apache module (https://github.com/pingidentity/mod_auth_openidc).
I am just wondering how to implement this on the WSO2-IS side, as I don't find documentation.
*bonus: we also hit several errors while deploying WSO2 (SQL errors) and using it (https://wso2.org/jira/browse/IDENTITY-3009) which made us a bit distrusting about the product.
Oauth2 token validate may be performed with a SOAP call to
{WSO2_IS}/services/OAuth2TokenValidationService.OAuth2TokenValidationServiceHttpsSoap11Endpoint/
The response will include details regarding token validity and JWT claims.
I'm writing some load tests against a restricted web server on our local domain. The webserver requires entering network credentials to be able to access sites on the server. How do I automate my network login? Again, this is a server login, not a website login form.
Found the answer. This MSDN ariticle explains how to set credentials for a web site that uses basic authentication or Integrated Windows authentication.
http://msdn.microsoft.com/en-us/library/ms182548.aspx