Is there any sample of implementation of OpenID Connect Provider in .NET?
DotNetOpenAuth doesn't seem to support this standard.
Yes, IdentityServer is an openid connect provider. There are lots of samples of relying parties, provider configurations and a resource server api. See here for the examples: https://github.com/IdentityServer/IdentityServer3.Samples/
It seems to currently be the only "certified" open source .NET (C#) implementation. See http://openid.net/developers/libraries/
I would expect Microsoft to release their OP pretty soon, named WAAD - Windows Azure Active Directory Server: http://www.gluu.co/waad-interop
Are you sure you need an OpenID Provider? If you need Relying Party code, I recently saw this quick article: http://www.gluu.co/simple-connect-client
If you really need an OP, perhaps you should consider OX: http://ox.gluu.org
Who really cares what language the OP is written in? What you want is an easy way to administer the thing... and OX provides an excellent management Web UI (oxTrust).
Related
Does Adobe Experience Manager support OAuth 2.0 as a client? I mean AEM connecting with an external application which plays a role of authorization server and resource provider.
I could not find any examples of such usage - AEM is usually presented as an authorization server and resource provider for other client applications.
AEM provides an number of authorization integrations. Maybe you can switch to SAML, which works pretty good out-of-the-box. I once integrated AEM with Keycloak with good results (but using SAML).
Regarding OAuth most documentation is dominated by AEM as an OAuth provider. They integrated Apache Oltu (which is end-of-life anyway).
But AEM provides an OAuth client as well. But it needs a custom extension for each provider. Out-of-the-box are only implementations for Twitter and Facebook available. But there seems also Github and IMS (Identity Management from Adobe Managed Services) to be available.
Please check also Package Share. But I don't know what is available there. And you probably need support from Adobe, to judge the quality and usefulness of such packages.
If you have to implement your own Provider-Extension, the best starting point I found was here:
https://aemcorner.com/adobe-granite-oauth-authentication-handler/
You are basically free to build whatever you want, as AEM is basically nothing else but a Java application. But you might want to keep in mind, that the standard applications of AEM are delivering rendered HTML from the dispatcher in the end. You want to have as little load on the publishers as possible.
So, when authorisation of resources is a technical- or business concern, you might need to dive deeper into SPAs or at least async loading of resources as JSON.
I am trying to find some information about using Apache syncope (Identity management system) with OAuth 2 authorization.
I see there is no implementation in AS yet as written here: https://issues.apache.org/jira/browse/SYNCOPE-534 so AS is "pure" Identity Manager - not directly involved in authorization operations like oauth 2.0
I have found I should use some Access Managers to implement such scenario.
What access managers should I use? Could you give some advice? thanks
On the page Access Managers you can see that there exist several ones, just not for OAuth 2.
For OAuth 2 an Access Manager had to be developed, perhaps it's possible on base of the existing ones.
Having a look at some commits concerning OpenID there exist the following list:
[SYNCOPE-1270] implementation for OpenID Connect for Admin Console and Enduser
[SYNCOPE-1270] OpenID Connect Logout implementation
[SYNCOPE-1018] self registration for OpenID Connect
It seems being mixed in core though, so probably it's impracticable to do it in the same kind as core can't be updated anymore without problems.
On the other hand, if you are willing to provide the new Access Manager directly to core-development it wouldn't matter, but then it's advisable to contact the core-developers on github first.
While REST might serve as interface for a separated module, the authentication process is technically explained as Provisioning Service.
In Extensions you get an impression which extensions exist and you'd to verify them to get knowledge how to solve your approach in an own extension. I'd chose perhaps SAML 2.0 Service Provider as it's also related to authentication.
Concerning OAuth 2 itself there exist a few implementations in github, regrettable only in PHP, but perhaps that helps you a bit.
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)
Please I would like someone to tell me if dotNetOpenAuth single-sign-on.
All I want to achieve is to be able to seamlessly logging to all domains without redirect to third party system for authorisation or Authentication within a mixture programming platforms e.g (PHP or .Net)
DotNetOpenAuth library is a simple library to implement Single Sign On for .NET based application. The only issue I faced was related to performance. It was found to be a known issue with a particular API that cause the sluggishnes.
DotNetOpenAuth can be used for SSO solutions, but each new web site a user visits does need to perform a redirect to the identity provider. In a controlled SSO environment, that provider may never appear to the user, so the login is totally transparent. There are a couple of samples of an SSO configuration that comes with the DotNetOpenAuth download.
DotNetOpenAuth will help you do what you want to do provided you can support OpenID from PHP. You need to implement a provider (the site that authenticates you against a DB or other store), and a consumer (the site you want to log into).
My recommendation would be to consider the authentication protocol you wish to use rather than a specific library at first. In the case if DotNet OpenAuth it has support for:
OpenID
OAuth
InfoCard
These are just a few of the protocols available. You should also look into the SAML family of protocols, in particular SAML 2.0.
There are implementations of SAML for PHP, .NET, and many other platforms. You might want to look at a comparison between OpenID and SAML in order to choose which is better for you.