Given that if we are running on a full WebSphere Application Server v8.5.5 profile which has support for both OAuth and SAML ( http://ibm.co/1bUqrJJ and http://ibm.co/1es8Hgv ), Can a Worklight 6.1 environment take advantage of either without needing some other external authorization service such as a DataPower or ISAM in between the device and the Worklight Server?
Worklight (5.0.x, 6.0.0.x, 6.1.0) does not provide any OAuth support on either the client or server. So any integration you're going to do will require some work on your part.
See related questions about Worklight and OAuth:
How to implement OAUTH 2.0 in IBM Worklight 6.0
IBM Worklight - How to use Google authentication in a Hybrid application?
OAuth support is something that Worklight product designers are thinking about, but I cannot comment further.
Related
We are looking into implementing authentication using the OIDC protocol on a web application deployed on WebLogic Server 14.1.
According to one comment here "Weblogic's OIDC functionality is available only from Weblogic Version 12.xx.".
However, I only find SAML support, OIDC integration seems to require to use Oracle Access Manager (OAM).
I'd prefer not to require a separate product, so I would appreciate any feedback about your experiences doing OAuth integration with WebLogic with or without OAM.
References: OAM 11.1 FAQ
Would like to implement FIDO authentication for our web application using 'windows hello' as authenticator & 'WebAuthn' protocol.
Please let me know the steps involved.
Which windows OS version & its build version supports windows hello ?
How to set up FIDO server?
How to integrate our web application with FIDO server?
Is FIDO can be used to authenticate back end web api end point access?
FIDO2 functionality was initially released in Windows 10 version 1803
Set up a FIDO Server - You'll need to make a couple design decisions first.
2.1. Pay an IAM solution provider that already offers WebAuthn / FIDO2.
2.2. Build WebAuthn / FIDO2 functionality into your existing authentication system.
2.2.1 Integrate with an authentication service. The authentication service hosts the infrastructure, your app just calls their API.
2.2.2 Spin up standalone WebAuthn / FIDO2 servers on your own infrastructure and integrate it with your existing authentication system.
2.2.3 Integrate WebAuthn / FIDO2 libraries into your existing authentication system (uses existing infrastructure).
How you integrate depends on your design decisions outlined above. If you want to learn about integrating a library into your existing authentication system then I would recommend Yubico's Passwordless Workshop.
WebAuthn / FIDO2 supports various uses cases. Learn more at the FIDO Alliance.
Which OAuth flow should be used for mobile app developed using Ionic Framework?
I am developing a mobile app using Ionic Framework v3. It will be interacting with my authorization server (www.example.com) using REST calls. To make the REST calls more secure I have introduced OAuth and JWT's. But I am unable to decide which OAuth flow to use.
Also note I will be using my own OAuth server and will not be using public servers such as Facebook, Google, etc.
My understanding is it depends on if you're going to deploy your Ionic app as a Web app or a Native app. For Web (SPA) you'll likely use the Implicit flow, and for Native you'll likely use Authorization Code Grant using Proof Key for Code Exchange - PKCE.
I personally use Auth0 for my auth, and I deploy my Ionic app in Web and Native. My app triggers the Implicit flow when in Web and PKCE for Native. Auth0 has some helpful docs here:
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
https://auth0.com/docs/api/authentication#implicit-grant
https://auth0.com/docs/api/authentication#authorization-code-grant-pkce-
reading this very good blog post (Getting familiar with IBM MobileFirst Platform Foundation OAuth Security) I learned how MobileFirst Platform (7.0 and above) has an integrated OAuth2.0 Authorization Server, which can be used to protect external resource servers.
However what I would like to understand is if it's possible to integrate MobileFirst Platform with another Authorization Server and protect MobileFirst Platform (and external) resource servers. The Authorization Server in this case would be ADFS running on Windows Server 2012R2.
This document from the Product Documentation explains how to use DataPower as OAuth Authorization Server. Can it be used also for other OAuth2.0 Authorization servers ? ( The Authorization Server in this case would be ADFS running on Windows Server 2012R2. )
IBMMobileFirst v8.0 only has support for Datapower as an external authorization server.
If you'd like to use a different AZ server, the only way I can think of is implementing the flow via a MobileFirst SecurityCheck, and have that security check call the other Authorization server.
That way you'd be using both the MFP AuthorizationServer and ADFS (So two Oauth flows, two tokens etc.).
Think of this high-level flow example:
Your resource is protected by some scope, this scope is mapped to a security check in MobileFirst server. When your client attempts to access the resource, your security check is triggered, which will then make a request to the ADFS authorization flow. Your security check would then act as a middle man between the ADFS and the client, and will be successful only when the ADFS has granted a token.
Eventually, when the MFP security-check is successful, an MFP Oauth token will be granted to the client, which will allow him to access the protected resource.
So basically your security check will act as your client against the ADFS Authorization server
A more simple way, would be to make that resource unprotected, and implement your own custom Oauth flow against ADFS - but thats not the original question.
But the plus side of the first option, is that you can always make that same scope (which is protecting your resource) be mapped to something else uninterruptedly (via the console) , like to a different security check which does something else.
For IBM Mobilefirst 7.1 (or 7.0), the flow is pretty much the same, only the terminology is different, in 7.x there are no Security checks, but you can use a Custom authenticator to get the same functionality.
Personal note - If you're not bound to using 7.x, I'd recommend doing it in 8.0
How implement an Component that publish secure services Rest , conditions:
These services should be secured by OAuth 2.0.
This component will is the Resource Server.
The Authorization Server is third party component implemented with Spring OAuth2.0 and Deployed in JBoss Server.
The client app will be called to resouce server, using JavaScript or RestTemplate Client.
Since you are already developing other legs of the OAuth2 solution using Spring Security, there is no reason to not use it as OAuth implementation for Mule as well.
http://www.mulesoft.org/documentation/display/current/Configuring+the+Spring+Security+Manager
There is some also prepared things in Mule, if you run the commercial version, check htis out: http://www.mulesoft.org/documentation/display/current/Mule+STS+OAuth+2.0a+Example+Application