I have implemented Google openid authentication for my web application (ruby on rails) , now once authenticated how am i suppose to get the status of that particular user ? like if the user which has been authenticated is a domain admin or not ? i have googled it a bit and came up with Google provisioning ApI and ClientLogin authentication process.... but in case of Clientlogin authentication one has to provide username#domain.com plus the password in the function...
In all i want to know, is their a way to know that a person authenticated by Openid is a domain owner or not ??
According to the open-id specs these are the attributes you can retrieve from your open-id provider (Ex: Google).
http://www.axschema.org/types/
Related
We are using auth0 as our B2B user management tool in a multitenancy SaaS application,
for each tenant we have an organization on auth0 and a specific connection(of type auth0)
and we create each user for a specific organization on the organization connection.
right now we are using OAuth, getting our customers organization name from the subdomain of the request (lets say stackoverflow is the organization and the host is company.com -> path would be stackoverflow.company.com)
we are using an authentication service that takes the subdomain, convert it to org_id with auth0 API and redirects to our auth0 /authorize endpoint. Aftherwards we retrieve the access token and if its valid, we "confirm" that the session is okey and keep on working with this session. the access token becomes irrelevant at this point.
Our backend is spring-security based application.
we tried to use the SAML authentication because working with access token on a session-based backend seems a bit wierd but we noticed we cant use org_id there and we must use the “prompt organization” screen of auth0, which is bad for us because we dont want our customers to enter their customer name in a different screen.
so few questions on this topic:
should we do it using SAML?
is there any way to send org_id to auth0 with the SAMLRequest so we wont have to ask our customers to enter their organization name?
are we doing this the right way?
How can I generate client id and client secret for user based authorization.
I am reading this link to authorize an user. But I have no idea on generating these keys and want to authorize many users based on these keys in ruby. Any starting guidance is appreciated. Thanks
OAuth is generally used to authenticate users for your site by having them log into an external service (i.e. Facebook or Google). The OAuth keys are generally generated by the outside service. Rails has some solid user authentication gems such as Devise that include protocols for common OAuth providers.
You would get it from the Oauth provider you are using. For Google for instance you would create a new project on console.cloud.google.com or use and existing project from there. Then you would go to api's and services. Then you would set up credentials and your Oauth consent screen.
I'm trying to authenticate my user on my site using StackExchange OAuth API.
Everything works fine when the user signs up for the first time. At this point, I get the "access token", which I save in my DB.
But the next time the user signs in, access token value is actually different to the previous one. Is it supposed to be like this?
If then, how do I check for existing users who already have signed up using StackExchange?
I can get the user's information by giving a specific site name (e.g. 'stackoverflow'). But what if I don't have that information and I need to check that the user has already signed in via StackExchange?
Is there a "user" information that I can get given an accessToken?
The StackExchange OAuth implementation is not meant to authenticate users to 3rd party applications but instead it is about authorizing those 3rd party applications to get access to the StackExchange API.
The access token that you get is not a token that represents a currently logged-in user, it represents the permission to access the API on behalf of the user gave it to your application. This is the classical confusion about the scope of OAuth 2.0 which is discussed in detail here: http://oauth.net/articles/authentication/.
In summary: you can't use OAuth or the StackExchange access token to authenticate users.
StackExchange does support the OpenID protocol to facilitate the purpose that you are looking for, see https://openid.stackexchange.com/. The downside of that is that OpenID is a deprecated protocol, superseded by OpenID Connect. OpenID Connect is an authentication protocol that is actually built on top of OAuth 2.0, but is not yet supported by StackExchange.
I'm trying to wrap my head around OpenID and OAuth.
From what I understand, OpenID only says that you are a user of the OpenID provider.
So if I log into a site using an OpenID, all it will return is "yes, this person is a user of X site."
If I want to retrieve a users email address, I would need an authorization as well, which is where OAuth comes in.
All that being said, does this imply that if an OpenID username is an email address, there is no way to retrieve that information without OAuth as well?
Here's a good post about OpenID vs OAuth.
From what I understand, OpenID only says that you are a user of the
OpenID provider. So if I log into a site using an OpenID, all it will
return is "yes, this person is a user of X site."
It depends on who you're using as an OpenID provider and whether they support Attribute Exchange - which allow a relay party to ask for additional attributes about a user (e.g. their email). Here's a SO question asking about Google/Yahoo supported Attribute Exchange values.
All that being said, does this imply that if an OpenID username is an
email address, there is no way to retrieve that information without
OAuth as well?
Again, it depends on who you're using OpenID/Oauth (and possibly which version of each protocol too). OpenID providers don't necessarily have to use emails as usernames, and it's possible for a provider to provide both email in their OpenID and OAuth implmentations. For example Google allows retrieval of email address via OAuth2 in addition to providing email in it's OpenID Attribute Exchange.
I'd like to allow my users to login to my website using my login system, or FB Connect or Google Login. I wouldn't want to use big libraries (like dotnetOpenAuth) for only those 2 options - So how should I accomplish this?
Additional question - how should I bind the FB/Google user to my inner user system? I'd like to allow to login using both of them (I could for example login using FB and then login with Google, and still be bound to the same user).
I'm using ASP.NET MVC 2
Thanks!
If you don't like to use big libraries like DotnetOpenAuth you will have to manually implement the OpenID protocol. Here are the specifications you will need to conform to.
This being said, I would recommend you using an existing library. DotnetOpenAuth is the reference library for .NET.
Also a small remark: OpenId and OAuth are different standards and are designed to achieve different things: OpenId is for authentication while OAuth is for authorization.
As far as identifying the same user which could log from different OpenID providers is concerned you will need something to identify them. For example with DotnetOpenAuth when creating an authentication request to the OpenID provider you could require the FullName and the Email:
using (var openid = new OpenIdRelyingParty())
{
var request = openid.CreateRequest(Identifier.Parse(openid_identifier));
request.AddExtension(new ClaimsRequest
{
BirthDate = DemandLevel.NoRequest,
Email = DemandLevel.Require,
FullName = DemandLevel.Require
});
}
and use this information to identify the user within your internal database.
So here's the idea:
You create an internal database table which will contain your site users. At the beginning this table is empty.
A user comes to your site and wishes to use it. He is not yet authenticated so you ask him for his credentials. You provide him the ability to choose his OpenId provider and prepare an authentication request and redirect him to his provider for authentication.
The user authenticates with his provider and is redirected back to your site. At this moment you know his claimed identity and you add the user to your users table. Now the user can always come back to your site and login.
You could provide the possibility to your authenticated users to add another OpenId provider (just like StackOverflow does). The important idea is that the user needs to already be authenticated to your site in order to do this. So he could enter his alternative OpenId provider and get redirected to this provider for authentication. Once he authenticates he is redirected back to your site and because he was already authenticated to your site you could add to the users table his alternative OpenId provider.
The controller action which will handle the redirect from the OpenId provider should check whether the user is already authenticated to your site and if not authenticate him using FormsAuthentication.GetAuthCookie and passing the claimed identity. If the claimed identity doesn't exist in your internal users table you need to add it. If the user is already authenticated to your site it means that he is adding an alternative OpenId provider to his profile, so you would update your users table and add the new provider to it.