I am working on a Spring Boot application (that I inherited) with a login screen that connects to a local database to check the username and credentials, then originally it called Okta authentication to match the username and password and check credentials. My client no longer wishes to use Okta and has asked me to switch to Google OAuth2.0 for User Authentication. My only question is it seems using that service forces the user to log into the application with their Google Credentials in a google login screen. Is it possible to have the users login credentials from the applications login screen log into their google account on the backend to check credentials rather than have the user themselves login twice? I know that this is a bit of a backwards approach, but due to the current infrastructure of the application (which is currently getting a face lift) this is what we need to do in the immediate.
I have been reading all of the OAuth2.0 documentation and watched a few tutorials, but cannot find anyone trying to do exactly what I am trying to do.
Related
I am using Cognito in AWS. There are no users in the Cognito User-Pool, instead of this it is connected to a federated IDP through OpenId Connect. The federated IDP is an Microsoft ADFS.
I have another application, which is using the Cognito OpenId Connect solution for securing an web Application.
The User access the Web Applikation, is beeing redirected to the IDP Login page. He authenticates against the federated IDP, gets back to the Website and is logged in there.
Everything is fine in this scenario.
The same web application offers a REST Api, too. With this connection I have some trouble. There is no human user who is consuming this API, but I have a service account created in ADFS.
First of all I need to get the access code:
https://demo-cognito-trg.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=1************q&redirect_uri=https://my-redirect-domain/management&state=STATE&scope=openid+profile+email
From that URL I can get the authorization code and use this to get an access_token from the oauth2/token endpoint. But when I do a GET on this ressource, I get a webpage where I need to authenticate myself.
What call do I need to perform so that I can use f.e basic auth to signin my service user?
I have multiple web applications running in different domains. Okta is the identity/auth provider for all these applications. After integrating with Okta in one of the application (following the Java example provided in Okta documentation), a new cookie (sid) is being created in Okta domain (https://developer.okta.com/docs/reference/api/sessions/).
How do I use this to SSO into other web application. What is the best approach to allow access to other application without prompting login credentials again?
Do I need to invoke getCurrentSession API in every application and redirect to login page only if the API response is 404 (as per doc, getCurrentSession will retrieve the current active session based on the Okta cookie).
Please share thoughts.
It all depends on how you integrate your apps: redirect to Okta or using Okta widget. If you do redirect it's pretty much guaranteed to have zero issues authenticating in your second app, as your redirect for second app will send sid cookie back to Okta, which was set while authenticating with your first app.
With widget things may become bit complicated, as it depends on 3rd party cookies. okta-auth-js GitHub repo has some examples on how you can check if session exists with okta, when you trying to authenticate a user. Check https://github.com/okta/okta-auth-js#third-party-cookies
I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants
I works like a charm when keycloak manages users and passwords on its own.
But, my scenario is different:
I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP
How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?
Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).
Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.
So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.
Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.
Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.
This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html
Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.
To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.
I have created an SSO application in app engine for G Suite. Normally it is working fine but when users are trying to login between the time 5:30am - 6:30am IST(UTC timing 00:00hours - 01:00hours),they are getting the following issue:
"This service cannot be accessed because your login credentials are not yet valid. Please log in and try again."
As per Google's solution it is asking to 'Check the clock on your Identity Provider's server'.The IDP here is Google app engine.Can anyone please help me out with the solution?
so, the app you're making is an Identity Provider itself and not an app that just uses SSO / SAML to authenticate into the app? i.e. you're making a OneLogin / Okta / etc replacement within App Engine?
I'm developing a web application that has a REST api. At the moment the Api are protected in the server side trough spring security with a form-login authentication. Recently I also added spring social to allow access with facebook and twitter and all this works. So a user has to be registered to access some endpoint.
Now I have to build a mobile application that has to access the REST api and I was wondering what strategy I should use.
I saw that facebook has a android/ios sdk to allow the authentication on mobile side. So once theuser is authenticaded on the mobile I should do the request to my server so how should I authenticate the user on the server side to access the resources?
If you think that is not a good solution can you give me an advice how I should solve this problem?
Two options:
Your mobile app can login to your API the same way your other client code does, via form-login or spring social. Simply send the same session ID cookie with your API calls after login.
You can allow your app to accept a username and password as HTTP headers via HTTP-Basic, to save yourself the initial login step. This might be more useful if you don't need to make a lot of API calls per session.