I know Keycloak primarily authenticates, and authorizes users. But I also have a 3rd party API in my app. Can Keycloak help me with that?
Related
I am using AWS Cognito User pools to SignUp users. However my client applications are OKTA based. Once the users have signup and confirme their email address on cognito, I would like to be able to login with their credentials directly in the Okta apps, so that would require to create a user/password also on the Okta app. But that would require some development to take the cognito credentials and creating the Okta user with these credentials.
How can I integrate it directly, so once the user has confirmed the email, can automatically log into okta app? Also, if I invalidate a user on cognito, it should not have no longer access to Okta apps.
It's not possible. You would need to do all by hands: creating/modifying users in Okta after you do the same in Cognito.
All Okta - Cognito integrations suppose that you have your applications integrated with Cognito, which is integrated with Okta. Okta is your identity store and all creations/modifications are done there. Cognito only trusts information from Okta and allows user to sign-in into applications integrated with it
Let's imagine we have some website which have 5 different login type:
Google
Facebook
Github
Twitter
Basic Email + Password
Website is SPA with JWT authentication. But how process the tokens from different Oauth providers to authorize YOUR app backend? Do you convert it to your app jwt? Or you create your backend jwt and send both you and google jwt's at a same time? What is typical design for this kind of stuff?
Your app should have one authority. But this authority is configured to "trust" other identity providers. This is known as federation. Explanation from IdentityServer, another from auth0.
I need to enable SSO between my customer's website and my API.
The customers website doesn't use Auth0 but allow users to login using a few different social providers like Microsoft and Google.
My API is secured using Auth0 and also supports Microsoft and Google authentication via Auth0. If my customer sends the JWT token received when the user authenticated with Google with their request to my API, will Auth0 authenticate the user even though my customer doesn't use Auth0?
Google/Microsoft auth is OAuth. OAuth is an explicit grant between the user and one particular application. It cannot and won't be shared with your app. The user would need to do a separate OAuth flow with your application to grant it access. There is no way around that.
However, given that this is an API, the more likely scenario is that the user shouldn't auth with your app at all, but rather, it should be the customer's application that auths and then works on behalf of the user. As such, you'd just set up the customer's application as a client and given them client credentials to use. Then, the user auths with the customer's website, the customer's website auths with your API via its client credentials, and then the user in effect works with your API via the customer's application as a go-between.
No , if your api application is protected by Auth0 and use external providers , after authentication from external providers and back to Auth0 , Auth0 will validate the token issued by external provider ,decode token , read claims , issue Auth0's own token and implement session management . So that your api application only accepts tokens which issued by Auth0 and validate tokens use Auth0's key-pairs , it won't accept other provider's tokens .
You can make your client application and api application both secured by one identity provider(Auth0/Google/Microsoft) .
I am curious about how Google's Authentication works. Does it use OAuth2.0 for Authorization? Or SAML for authentication? I tried intercepting the requests and responses, but I cannot determine how their authentication/authorization flow works.
Thanks in advance!
Signing in with a Google Account is based on OpenID Connect (OIDC). Google produces wrappers (libraries..) that do a lot of useful things on top of plain protocol. From Google's OIDC page:
If you want to provide a "Sign-in with Google" button for your website or app, we recommend using Google Sign-In, our sign-in client library that is built on the OpenID Connect protocol and provides OpenID Connect formatted ID Tokens.
G Suite also supports SAML for SSO to 3rd party apps. (You still authenticate with your Google Account)
We are using WSO2 Identity server for our product. As for as our applications are concerned, we're authenticating the users with the IDS. We now want to integrate with third party product. And we suggested them also to use WSO2 IS for their identity service [auth/auth]
When I send a request to third party application, their application should authenticate our application request and accept the request. Can they add our identity provider as their trusted authentication provider, and that would help the user request getting authenticated against our identity source?
Is this possible? If so, please point me to sample where it is done!
Yes. It can be done in different ways. As an example, Your 3rd party application is a liferay, You can use WSO2IS as openid provider. Because liferay allows to login to it portal using openid. Else your 3rd party application supports for SAML2 sso, WSO2IS can be used as SAML2 SSO provider. If 3rd party app, is IIS hosted application, you can use Passive-STS.
Also, if 3rd party application does not support any common standard, there may be extensions that can be used to extent their authentication mechanism. If that case, you can write extension to 3rd party application, to call WSO2IS API. Because all APIs are web service APIs.
You can find more detail of integration
[1] OPENID : http://www.soasecurity.org/2010/08/sign-up-with-openid-providered-by.html
[2] SSO : http://tanyamadurapperuma.blogspot.com/2013/09/configure-wso2-identity-server-saml2.html