Please I would like someone to tell me if dotNetOpenAuth single-sign-on.
All I want to achieve is to be able to seamlessly logging to all domains without redirect to third party system for authorisation or Authentication within a mixture programming platforms e.g (PHP or .Net)
DotNetOpenAuth library is a simple library to implement Single Sign On for .NET based application. The only issue I faced was related to performance. It was found to be a known issue with a particular API that cause the sluggishnes.
DotNetOpenAuth can be used for SSO solutions, but each new web site a user visits does need to perform a redirect to the identity provider. In a controlled SSO environment, that provider may never appear to the user, so the login is totally transparent. There are a couple of samples of an SSO configuration that comes with the DotNetOpenAuth download.
DotNetOpenAuth will help you do what you want to do provided you can support OpenID from PHP. You need to implement a provider (the site that authenticates you against a DB or other store), and a consumer (the site you want to log into).
My recommendation would be to consider the authentication protocol you wish to use rather than a specific library at first. In the case if DotNet OpenAuth it has support for:
OpenID
OAuth
InfoCard
These are just a few of the protocols available. You should also look into the SAML family of protocols, in particular SAML 2.0.
There are implementations of SAML for PHP, .NET, and many other platforms. You might want to look at a comparison between OpenID and SAML in order to choose which is better for you.
Related
Has anyone actually used OAuth2 for SSO within Spring Security 3?
Scenario:
I need my users to be redirected to an OAuth2 URL when they try to access any URL on my site for the first time. Once they are authenticated there, it will redirect them to a URL on my site, where I need to authorize them and create a session so that they will stay authorized on my site until they log out or time out.
I have tried several configurations in Spring Security using custom pre-auth filters, custom user details services, etc., but I cannot get the flow to work properly. I've not attached any code because I've gone through so many possibilities that I'm not even sure what to post.
I'd appreciate any direction anyone can give. Thanks!
OAuth2 isn't intended as an SSO solution. It's primarily about delegating the right to access resources on your behalf to other parties (applications, for example). So if that's not something you need then perhaps you should be looking at a simpler solution.
It's possible to use OAuth2 to allow access to a resource which provides information on your identity, in which case it can be expanded for authentication use. This is how OpenID connect uses it (by adding a userinfo endpoint resource).
You might want to take a look at the UAA project within CloudFoundry which is built on Spring Security OAuth and uses OAuth2 in this way to provide authentication services and to issue access tokens to applications within the system.
This appears to be a somewhat dead question but here are some resources that may prove useful to future searches:
#EnableOAuth2Sso
#EnableOAuth2Resource
Spring Cloud oauth2 SSO sample
Spring oauth2 SSO with a whole bunch of other stuff too
Who is your Oauth2 provider? In a case of some public one like Facebook, Twitter, Google and many others you can take a look at Spring Social project. Even if you use some private provider you can add it very easy (http://blog.springsource.com/2011/03/10/extending-spring-socials-service-provider-framework/, Developing a Netflix Service Provider Implementation section).
Spring Social is designed to cover your main case with some minor difference: by default you must submit a form to start authentication process. I think this difference may be easy customized to feet your needs.
You can play with Spring Social Showcase sample to have an idea about authentication workflow.
I need to build an ecosystem of online tools (these tools are on various platforms like Moodle, Website Baker, ASP.Net, php, etc, some already built, some purchased from other vendors and some to be built), where I want a single login that the end user should have.
These tools, standalone, have their own login mechanism in place at the moment.
I am planning to build a central system on DNN where users register and this system exposes an oAuth service that other systems use to authenticate users against.
I am considering DNN (DotNetNuke) platform for the following reasons:
1. I am an ASP.Net developer and familiar to some extent with DNN (Not a whole lot, but enough to know that it has the concept of providers and modules that I can customize as per my needs).
2. I will need a shopping cart and a registration system which I am hoping to get some ready-made third party solution.
WHAT I NEED INPUTS ON:
Is there some DNN component out there already that exposes oAuth authentication from a DNN site? I am looking to implement something similar to what Google has implemented for it's oAuth interface.
If I understand you correctly, you are trying to build is called 3 legged authentication with oauth where you want dotnetnuke to be the provider. In order to do that in dotnetnuke, you need to provide a UI where consumers can register and get AppId and consumerKey. Once that is done, Consumer will send user to dotnetnuke for login. Dotnetnuke will validate the user and return appropriate information to consumer.
Here are some things that can help you:
DotNetOAuth library
OAuth website
http://code.google.com/p/extremeswankoauth/wiki/Server_Examples
http://www.cleancode.co.nz/blog/523/oauth-dot-net
Example oAuth implementation in java
Let me know if you need more help.
I don't know if it is the best way to accomplish the solution but it was what I did.
There's a code sample of DotNetOpenAuth here which uses OAuth to authenticate users. Probably you will see that there are more examples, and even newer but .. pay attention because If you are using the last version of DNN (7.x), it works using the .NET Framework 4 and the newer samples uses 4.5. So, take a look of the first example! The ASP NET Handler called OAuth.ashx is your OAuth Service provider.
Then, I built a DNN module based on the sample to make DNN work as OAuth Service.
I followed this guide to build the module. There are some videos which shows the basic of module development.
We've got an MVC website that is going to use DotNetOpenAuth for signing in users via OpenID and I've found this really helpful template and other more simple examples that will help me get started on that end. However, what I don't have fully figured out is how to provide my users with a way to create an account with us if they don't want to use OpenID.
I can see two options here, write some custom code that allows OpenID to piggy back on the standard membership provider. Or, have the end site only use OpenID via DotNetOpenAuth and build an Identity Provider for my users to sign up on. That way the site would only see OpenID users and wouldn't know a difference.
Are these my only options? I haven't been able to find anything on standing up my own Identity Provider, just the relying party templates. I think I can get by with just putting OpenID on top of the default membership provider, but that feels like I'm doing it wrong, since I should be able to just stand up an identity provider.
So, in my situation, what would be the best way to support membership via local account creation and OpenID via DotNetOpenAuth?
Setting up your own identity provider so that your site only speaks OAuth is certainly an option, but a non-trivial one. I wouldn't recommend setting up an identity provider unless you intend your customers to use it for logging into other sites.
Also keep in mind that most web sites don't use OAuth to authenticate (since it's not an authentication protocol anyway). OpenID is more popular.
The project template you linked to in your question demonstrates allowing users to log in via several OpenID Providers and includes support for linking user accounts.
As for supporting local user accounts as well, I suggest you take a look at the source code behind nerddinner.com. I would advise against using the ASP.NET Membership provider for the OpenID/OAuth accounts as the interface doesn't fit very well, but folks have made it work so you can too if you want.
I am in the process of re-writing some very outdated .NET 2.0 SOAP web services for my company. So I am rewriting them using MVC3 RESTful. This method would simplify the usage of our services for our client base (over 500 clients using our current SOAP services) who are on multiple platforms and languages.
I am looking for a BETTER method of authorization for the RESTful services, than what the previous developer used for our .NET 2.0 SOAP web services (he basically just had the client pass in a GUID as a parameter and matched it in code behind).
I have looked into oAuth and I want to use it, HOWEVER, I have been told, from my superiors, that this method is TOO complicated for the "level" of clients that connect to our services and want me to find another simpler way for them to connect but still have authorization. Most of our clients have BASIC to no knowledge of programming (either we helped them get their connection setup OR they hired some kid to do it for them). This is another reason that the superiors want a different method, because we can't have all 500+ (plus 5-10 new clients a day) asking for help on how to implement oAuth.
So, is there another way to secure the MVC3 services other than passing a preset GUID?
I have looked into using Windows Authentication on the services site, but is this really logical for 500+ clients to use?
Is there an easy and secure method of authorizing multiple users on multiple platforms to use the MVC3 RESTful services that a end-client can implement very easily?
Thanks.
If you don't want anything too complicated, have a look at Basic HTTP Authentication. If you use it over SSL then it should be safe enough and also easy enough to implement for your clients. The Twitter API actually used this up until a few months ago when they switched to OAuth.
You want to distinguish between authentication and authorization. What you are looking for is authentication and indeed as Caps suggests, the easiest way may be to use HTTP BASIC authentication along with SSL to make the password is not compromised.
You could look into other means of authentication e.g. DIGEST or more advanced using ADFS or SAML (ADFS could be compelling since you're in .NET). Have a look at OpenID Connect too - it is strongly supported by Google and has great support.
Once you are done with that, you may want to consider authorization - if you need it that is - to control what a given client can do on a given resource / item / record. For that you can use claims-based authorization as provided in the .NET framework or if you need finer-grained authorization, look into XACML.
OAuth wouldn't really solve your issue since OAuth is about delegation of authorization i.e. I let Twitter write to my Facebook account on my behalf.
HTH
What is the difference between Claims based authentication vs What is provided by OAuth.
I am looking for conceptual difference and not technical difference. When do I choose Claims over OAuth and vice versa.
Claims based authentication is proposed by Microsoft and build on top of WS-Security. But OAuth is more a open source protocol that is being proposed to allow fetching resources from different portals based on a security token.
Claims also has this concept of token (SAML encoded or X509 certificates).
I am trying to understand when do I choose Claims over OAuth and vice versa.
Thanks
Claims-based identity is a way of decoupling your application code from the specifics of identity protocols (such as SAML, Kerberos, WS-Security, etc). It is not only for web applications and is implemented as a .NET library / framework called WIF.
OAuth is a specific protocol by which one web site can obtain user consent to access their private data on another web site.
It is not really the case that you would choose one or the other, in fact they are complementary. Potentially you could use both at once, if you were building a .NET web app that performed OAuth via the WIF.