Thanks to a detailed answer from #Kxepal making OAuth work with CouchDB replication works. Now I'm looking for insight how to replace the keys known to the admin with X509 (or others) keys, so the admin would only have the public key of the user and could not impersonate one.
What would be the steps to enable replication for CouchDB using keys for OAuth authentication.
Related
I have an application that offers SSO log in through OAuth 2.0 for my customers.
So far, I am using Shared secret client credential, but I now want to support Private key client credentials, and am struggling on finding information on an important detail for the certificate approach:
What type of certificate should be used ?
Does the application have to generate a certificate per customer ?
Is a cloud provider (i.e. AWS ACM) public certificate enough for this kind of implementation ?
For information, one of the systems I have to integrate with runs on Azure. Here is a link to the docs about authentication with certificate credentials
I have a client server scenario.
I have both thick client and a thin client (browser) which communicates with my server.
My thick client uses X-509 system certificate for client certificate authentication scenario and communicates with the server
Also this certificate is used for used to generate signed URL (with expiration time) for my thin client to communicate with my server which is used for integrity and authorization purpose. I also have a token based approach for authentication purpose in this case.
Now i want to complete move my authentication mechanism to OAuth based flow using client credentials or auth code based.
I understand that authentication and authorization can be moved to OAuth based communication. But how do i move my signing (digital signature) based use case to OAuth from certificate based ?
I don't think there is any other way than to use certificate based PKI mechanism for digital signing. Can the private and public keys be distributed other than the certificates ?
Best Regards,
Saurav
Can the private and public keys be distributed other than the certificates ?
You may generate key pair using openssl (command line - openssl.exe) or any cryptographic library or CSP of crypto device. Instead of distributing it, you may have a piece of software which user may use at his end to generate public key and private key and share public key if required and store private key securely. But question remains how user would store private key securely and there comes certificate storage formats like PFX which is password protected (encrypted using password you provide) or storing private key in smartcard or usb token which are cryptographic devices. You may program these devices to generate our own keys and not necessarily store certificate issued by CA.
For browser based access to user's private key, you may need to use browser extension.
Refer to this SO answer for accessing user's keys from browser for authentication.
How can I generate client id and client secret for user based authorization.
I am reading this link to authorize an user. But I have no idea on generating these keys and want to authorize many users based on these keys in ruby. Any starting guidance is appreciated. Thanks
OAuth is generally used to authenticate users for your site by having them log into an external service (i.e. Facebook or Google). The OAuth keys are generally generated by the outside service. Rails has some solid user authentication gems such as Devise that include protocols for common OAuth providers.
You would get it from the Oauth provider you are using. For Google for instance you would create a new project on console.cloud.google.com or use and existing project from there. Then you would go to api's and services. Then you would set up credentials and your Oauth consent screen.
We have a client that among other things creates and manages Keycloak accounts.
Would it be possible for that client to retrieve tokens on behalf of the users without having to create any user passwords at all? In fact, we'd like to create user accounts and not set a password to start with. None of these users will ever authenticate themselves.
None of the oauth2 flows seem to really match this, and we were wondering if there is a variation of the password grant type in which the password is not required for trusted client ID/Secret.
Some options we explored so far are offline tokens and user impersonation, but the former requires persisting secrets, and the latter relies upon proprietary Keycloak features using cookies rather than standard OIDC.
There's as of today an experimental oauth 2 token exchange grant type available in keycloak: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-19
As #qdivision pointed out: https://www.keycloak.org/docs/latest/securing_apps/index.html#direct-naked-impersonation
And Thomas Darimont: https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a
I have integrated wso2is-5.5.0 and weblogic12c(OWSM) with our product for OAuth2 implementation.
Imported wso2carbon certificate in weblogic12c(OWSM) key store for token decryption.
Facing same issue, can anyone please provide information about following question:
How wso2is-5.5.0 encrypt OAuth token? From which key? what is key location path?
I am not able to see correct kid values in our OAuth token generated form wso2is-5.5.0. Because key alias is wso2carbon and token has kid NTAxZmMxNDMyZDg3MTU1ZGM0MzEzODJhZWI4NDNlZDU1OGFkNjFiMQ.
Do I have to use custom certificate and key alias? Can you please provide document/link to follow steps?
Is there any way to use custom OAuth Client Key and OAuth Client Secret?
Answering your questions,
If you have enabled the JWT encryption, it is encrypted with the key you have configured in the service provider.
In the IS implementation thumbprint of the certificate is used for kid value.
To encrypt the JWT, you always have to upload the public cert to the service provider config. Otherwise you can't encrypt the JWT. So always you are using a custom certificate. Refer this doc to get more details on how to add cert to service provider config.
This is possible if you are adding the service provider from the admin service. Refer to this doc for more information.
Apart from the above questions, if you are signing the JWT, it is signed using the server private key (for super tenant. In case of tenant, tenant private key is used). Default keystore wso2carbon.jks is location in <IS_HOME>/repository/resources/security. You must change this keystore when you do the deployment in production. Refer this and this to change the keystore.
Hope all of your questions are answered.