I'd like to create a web-application in Java that uses Google services both for initial authentication and API calls. (e.g. Google Calendar)
I want to stay away from Google Apps Engine, because of the overhead it creates and because of the requirements for a GAE project. Next to that I want to avoid the Google plus login button, because it isn't custom brandable.
For authentication I'd like to use OpenId and for the access to Google API's I'd like to use oAuth2.
Currently I have a working project using the most recent oAuth2 lib and code from :
https://code.google.com/p/google-api-java-client/wiki/OAuth2
I'm using a light-weight OpenId library JOpenId for OpenId authentication.
The combination can be used to succesfully authenticate, but I have two main concerns:
JOpenId is not actively maintained for over 2 years. The authentication mechanism outdated and incomplete (based on the issue section of the project)
In the authentication process, the users needs to select his google account and grant permissions twice. This is confusing to the user and can be a problem if the user selects two different accounts in this process.
I've looked at Step2 (http://code.google.com/p/step2/) as an hybrid solution to combine Oauth2 and OpenId, but the project is very bloated with a big OpenId4Java library, GAE stuff and it uses maven dependencies that are not online anymore (e.g. Guice)
Are there other, cleaner, solutions that meet this project requirements? (Preferably a library that can combine OpenId and OAuth2, and is still maintained)
Related
So I have been looking into OAuth lately, I want to authorize another of my domain which has separate database using OAuth. Upon searching I found auth0.com. Which sounded similar to Oauth and I created a sample implementation, it offers support for custom databases also. We have users stored in external api running on .net core, and I learnt that auth0.com is not free after trial expiration. So my efforts kindof got wasted. Now I am looking for authorization method that works for both domains.
Now my question is, does it even make sense to use Oauth for this task? Since I won't be giving it to third party and it's matter of two databases. How should i approach this and what are opensource Oauth services that allow custom database.
OAuth does not support the concept of a 'Universal Logout'. Logging out of one application does not log you out of another, as that would not be the desired behavior.
For example, if a Facebook user were to log out of Facebook, it should not log them out of Spotify (if they were using Facebook OAuth).
I have been hired to create a service that acts as a sub-application to transparently embed itself in the workflow of an older monolithic web application. For example, there is a link to the sub-application from the monolith, and clicking that link transparently moves you into the sub application. The sub-application also links back to the monolith, which transparently leads back. The user is able to weave back and forth between the monolith and the sub-application.
The sub-application currently uses OAuth 2.0 to authenticate through the monolith. From the user's perspective, this is mostly a transparent exchange.
To the user, the two application workflows should weave together as one. Given this, the concept of a 'Universal Logout' is desirable. What appears to be a single application to the user should not have some of the pages logged out and other pages logged in.
I currently have a 'Universal Logout' implemented, but I have a feeling that since this is not a part of OAuth, maybe it means this problem should be tackled in a different way.
Given this scenario, is there an alternative to implementing 'Universal Logout' in OAuth? Should OAuth even be used? If not, what should be done? How could this be better architectured?
OAuth 2.0 itself is not a protocol that logs on users to applications (http://oauth.net/articles/authentication/); some (like Facebook) have built a custom extension of OAuth 2.0 to do that; those providers would have to start supporting a custom Single Logout mechanism as well in order to address the problem you mentioned.
There is however a standardized extension of OAuth 2.0 that logs on users to applications called OpenID Connect (http://openid.net/specs/openid-connect-core-1_0.html). That has an extension called Session Management (https://openid.net/specs/openid-connect-session-1_0.html) that allows for the functionality that you describe in a standardized way.
I'm going to be undertaking a large project for a client of mine. I need to write an IDP (identity provider) that will handle single-sign-on to multiple apps by a number of different authentication methods (such as SAML, OAuth, Form-based auth, HTTP Basic auth). I'd also need the ability to add in additional types of authentication as the app grows.
The basic idea would be that we'd have three different components to the app. One would be the IDP. Another would be a data-store that contains user accounts, the apps they want to use, etc. The third would be a GUI front-end that allows users to sign into apps.
It seems that there are some existing gems that handle authentication, like https://github.com/onelogin/ruby-saml and https://github.com/intridea/omniauth. My question is, am I overcomplicating this project -- would I just be able to use existing gems like these to act as the IDP, or is this a project where I'd need to read specs and implement them myself in Ruby?
Using something like SAML toolkit for Ruby on Rails adapted to work with ADFS server, you can integrate with ADFS. Now you can leverage ADFS features:
Interface with Facebook etc. via Azure ACS
Interface with Azure Active Directory and hence SSO to SaaS applications
Azure Active Directory Multi Factor Authentication
BYOD via the Web Applications Proxy
OAuth on ADFS 3.0
and so on. The list is expanding all the time.
Once you hook into these standards. you just inherit all the new features as they are released.
I need to build an ecosystem of online tools (these tools are on various platforms like Moodle, Website Baker, ASP.Net, php, etc, some already built, some purchased from other vendors and some to be built), where I want a single login that the end user should have.
These tools, standalone, have their own login mechanism in place at the moment.
I am planning to build a central system on DNN where users register and this system exposes an oAuth service that other systems use to authenticate users against.
I am considering DNN (DotNetNuke) platform for the following reasons:
1. I am an ASP.Net developer and familiar to some extent with DNN (Not a whole lot, but enough to know that it has the concept of providers and modules that I can customize as per my needs).
2. I will need a shopping cart and a registration system which I am hoping to get some ready-made third party solution.
WHAT I NEED INPUTS ON:
Is there some DNN component out there already that exposes oAuth authentication from a DNN site? I am looking to implement something similar to what Google has implemented for it's oAuth interface.
If I understand you correctly, you are trying to build is called 3 legged authentication with oauth where you want dotnetnuke to be the provider. In order to do that in dotnetnuke, you need to provide a UI where consumers can register and get AppId and consumerKey. Once that is done, Consumer will send user to dotnetnuke for login. Dotnetnuke will validate the user and return appropriate information to consumer.
Here are some things that can help you:
DotNetOAuth library
OAuth website
http://code.google.com/p/extremeswankoauth/wiki/Server_Examples
http://www.cleancode.co.nz/blog/523/oauth-dot-net
Example oAuth implementation in java
Let me know if you need more help.
I don't know if it is the best way to accomplish the solution but it was what I did.
There's a code sample of DotNetOpenAuth here which uses OAuth to authenticate users. Probably you will see that there are more examples, and even newer but .. pay attention because If you are using the last version of DNN (7.x), it works using the .NET Framework 4 and the newer samples uses 4.5. So, take a look of the first example! The ASP NET Handler called OAuth.ashx is your OAuth Service provider.
Then, I built a DNN module based on the sample to make DNN work as OAuth Service.
I followed this guide to build the module. There are some videos which shows the basic of module development.
Please I would like someone to tell me if dotNetOpenAuth single-sign-on.
All I want to achieve is to be able to seamlessly logging to all domains without redirect to third party system for authorisation or Authentication within a mixture programming platforms e.g (PHP or .Net)
DotNetOpenAuth library is a simple library to implement Single Sign On for .NET based application. The only issue I faced was related to performance. It was found to be a known issue with a particular API that cause the sluggishnes.
DotNetOpenAuth can be used for SSO solutions, but each new web site a user visits does need to perform a redirect to the identity provider. In a controlled SSO environment, that provider may never appear to the user, so the login is totally transparent. There are a couple of samples of an SSO configuration that comes with the DotNetOpenAuth download.
DotNetOpenAuth will help you do what you want to do provided you can support OpenID from PHP. You need to implement a provider (the site that authenticates you against a DB or other store), and a consumer (the site you want to log into).
My recommendation would be to consider the authentication protocol you wish to use rather than a specific library at first. In the case if DotNet OpenAuth it has support for:
OpenID
OAuth
InfoCard
These are just a few of the protocols available. You should also look into the SAML family of protocols, in particular SAML 2.0.
There are implementations of SAML for PHP, .NET, and many other platforms. You might want to look at a comparison between OpenID and SAML in order to choose which is better for you.