How to implement an OAuth 2.0 Authorization Server? - oauth-2.0

I understood how to write Running OAuth 2.0 code for the client side.
Using existing Authorization Server, like Google, seems to be not too complicated.
Question is: How to implement my own Authorization Server?
Since many companies have their own User/Privilege system, LDAP based (e.g. Active Directory), etc. - they must have their own Authorization Server.
Is there a framework, libraries, etc. for that? Or do I have to write the code from scratch?

The best reference is the OAuth 2.0 site. They list the available server libraries that you can use. Currently, the options are:
Java
Apache Oltu
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
PHP
PHP OAuth2 Server and Demo
PHP OAuth 2.0 Auth and Resource Server and Demo
PHP OAuth 2.0 (AS with SAML/BrowserID AuthN, with management REST API, see DEMO)
Python
Python OAuth 2.0 Provider (see Tutorial)
OAuthLib (a generic implementation of the OAuth request-signing logic) is avaliable for Django and Flask web frameworks
Other
NodeJS OAuth 2.0 Provider
Ruby OAuth2 Server (draft 18)
.NET DotNetOpenAuth
Erlang Oauth2 Server framework
I would also highly recommend that you read all the documentation available on how the standard works before getting started. There are many parts to OAuth and it can get confusing. At least, that's how I feel.

Check out OpenAM by Forgrock. With little work you should be able to get a java based OAuth authorization server running.
http://openam.forgerock.org/

Related

OAuth 2 Java Rest API

I have Rest API which require authentication. The application is completely written in java. Is there any libraries present for oauth server side implementation for Rest API ?
I have already checked the spring ouath2 security but I am not sure about the support towards Jersey library as I am using it for development. Can you suggest libraries or documentation for ouath authentication in java
Spring Security appears to be the only framework that provides complete implementation for Oauth 2.0 specifications. Spring supports almost all of JAX-RS implementations (including Jersey).
You might need to tweak these Jersey properties to suit your needs.
Check out this known customization required when using Jersey.
Spring Security OAuth 2.0 developer guide.

Why should I use OAuth,SAML,Identity Server

We have many web applications and want to integrate SSO.What is the benefit of using OAuth,SAML,Identity Server. What is different from making a custom webapi that produce token and authenticate user.
There are 3 protocols that you can use for SSO.
WS-Fed, SAML 2.0, OpenID Connect / OAuth 2.0.
The first 2 are the "old" way and are more for enterprise.
The later is the "new" way and is used by modern applications / mobile etc.
Unless there is good reason not to, use OpenID Connect / OAuth 2.0.
Microsoft has OWIN NuGet packages for these for the client.
Whatever you use, do not roll your own. You are pretty much guaranteed to get security wrong.
IdentityServer is an open-source implementation of these protocols. It supports OpenID Connect / OAuth 2.0 OOTB and the other 2 via add-ons.
I've used it extensively - it's definitely a good choice.

PingFederate OAuth validate access token using Apache Integration Kit

We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server?
or
are there any other libraries to do it?
One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?
You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.
However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:
"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."
mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:
OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication
OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username
OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
<Location /api>
AuthType oauth20
Require claim scope~\bprofile\b
</Location>
You may want to look at PingAccess for this need. It works alongside PingFederate to handle both browser SSO and OAuth access token validation use cases which may simplify your deployment.
It has benefits over an Apache module in that it allows for centralized administration of access control polices and centralized logout across different applications, which is a typical requirement in an enterprise environment.
For your question "Are there any other libraries to do it?". I take this to mean, is there anything else beyond mod_auth_openidc. There is another option. OAuth is a RESTful service to the PingFederate OAuth Authorization Server (OAS). If all you desire to do is validate the incoming Access Token, then you create a REST API call to the PingFederate OAS to validate the token. Within PingFederate you would need to configure an OAuth client for validation. You could integrate cURL within your application for the REST client and then call the PingFederate OAS. You would have to process the response based on your application or service requirements.

how to implement oauth2 on java restful services

I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.

Create an OAuth 2.0 service provider using DotNetOpenAuth

I'm building a web app which will have an api and an authorization service using DotNetOpenAuth. I found this example on how you can authorize using a service provider that already exists but I would like an example on how to implement a service provider that can create tokens, persist them and do evaluation. Is there any great articles or sample providers that I can download?
Update
DotNetOpenAuth has moved on since this was initially posted. I strongly suggest you follow Ashish's advise and take a look at the samples. It contains code to write Authorization Servers, Resource Servers and Clients for all the major flows.
If you wanted a pre built solution, with opensource code
Thinktecture Identity Server is an Open Source .NET security token service. It supports a number of endpoints for authentication including OAuth 2.0 Bearer tokens.
Update this Thinktecture Identity Server is now on version 2 and supports these OAuth 2.0 flows
Resource Owner Password Credential Flow
Implict Flow & JavaScript
Authorization Code Flow
again take a look at the code to see how it was all done and there are samples here to show how to plumb it in.
I hope this helps - these library's and examples have hugely helped us over the past few months.
Update
There is also another example warning, it looks dated of a simple OAuth provider for MVC here Sample code here
There are complete working example for DotNetOpenAuth can be found here - https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples
I tried a number of times with DNOA....had to give up, but documented my findings (used Thinktecture in the end)...http://tb-it.blogspot.co.nz/2015/06/oauth-20-frameworks-and-platforms.html

Resources