I am trying to setup Okta MFA at both organization and app level for my AWS Application. I have successfully created the Sign On Policy for the AWS App and it is working correctly from Okta Console.
But now I want to add this feature in my Java Project, I tried searching for APIs which can be used to verify MFA at Application level, but I am not able to find any such API. Can you please provide me some details regarding application level mfa and how to do it from Java Project.
As of now I am able to Authenticate with MFA at account level. But when I try to use the same URL(https://?onetimetoken='SessionToken' ) for application level mfa, I am being redirected to the login page again.
Any idea how to implement App level MFA with Java?
These are the docs you are looking for! Basically, what you will want to do is use our Java SDK to enroll a user in a factor, then activate the factor, and finally, verify the factor when someone logs into your Java application.
Related
I want to enable two factor authentication (with Push Notification) in my JAVA based web application.
I searched and found I can use Google & Microsoft authenticator app and can enable two factor authentication, I have successfully done POC for this and it works well with random code generated in Authenticator app and on my web app server and can verify the code. https://medium.com/#ihorsokolyk/two-factor-authentication-with-java-and-google-authenticator-9d7ea15ffee6
Now I want to enable Push notification in a same way, whenever user login to my webApp,after user name & password verification, I want to send push notification to user's registered mobile number OR in user's Google/Microsoft authenticator app, with YES, NO options. user will then select YES or NO and based on that response, user should be able to login in my web app.
I searched but not find any such API of Google or Microsoft which I can use in my web App to support push notification. Appreciate your help if any one can provide links to such API docs or have any other suggestion to achieve this requirement.
Thanks
I need to check MFA status of azure user by rest API or java SDK. Does anyone know the way to check it?
Unfortunately, MFA status is not currently available in the Azure AD Graph API or the Microsoft Graph API, or any SDK. You could find the similar issue from Tony French's comment in this feedback.
So far you could only use the two methods to check MFA status of azure user:
access the Azure portal page
use PowerShell with Install-Module MSOnline
For more information, see here.
I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants
I works like a charm when keycloak manages users and passwords on its own.
But, my scenario is different:
I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP
How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?
Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).
Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.
So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.
Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.
Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.
This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html
Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.
To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.
I need to authenticate via azure ad in my application. I found this example code: https://github.com/Azure-Samples/active-directory-java-native-headless but my azure is configured with MFA and I get this error:
{"error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.\r\nTrace ID: 643e8491-904a-4cea-b2a6-c720dda97f00\r\nCorrelation ID: 946f5469-c2b3-4de4-8c92-ab73aabc13d3\r\nTimestamp: 2018-08-27 12:59:25Z","error":"interaction_required"}
And now I'm not sure how to provide verification code to my application. Does anyone has any example code, wiki how to use it with MFA?
This sample should help you. It uses OpenID connect with a Java application.
As for your error, in AAD, if you do an initial login in one location, and then login from another location, there are conditions on the AD that flag this as "risky activity".
So for your account there is a "moved to a new location" flag that can get set, automatically triggering the need for MFA. If you do face this, check the conditional access locations in Azure and see if you can clear the flag. (Or set up the original account with named locations in place.)
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations
I want to know if he given user is admin of google apps domain or not. getting a list of domain admins will also do.
userService.isUserAdmin() gives user admin of google app engine which I don't want.I want to check if user is admin of google Apps domain.
I found that we can use read only access to provisioning api for this,but I could not get any detailed tutorial or code.I also need the authentication for read only access using oAuth 2 only.
Read-only Provisioning API access is only available to Google Apps Marketplace applications using two-legged OAuth 1.0. If you're not developing a Marketplace App, you'll need to get the full read-write users scope.
A java example is available at:
https://developers.google.com/google-apps/provisioning/#retrieving_user_accounts