OAuth2 without forwarding to an external site - react-native

I am currently working on a React-Native project with my own backend
I have to use OAuth2, but I want to have the user enter their name and password and not forward them to Facebook / Google, for example
Any help?

The only grant types that allow acquiring tokens without redirects are the client_credentials and the password (resource owner password grant). Both of them are only feasible if you are running your own Identity Server (like Keycloak).
For identity federation with external systems, you will always need a flow that redirects the end user (at the very least in an iframe). The user authenticates against Google, not against your system. Google then issues a Token, and your application can verify the token was issued by Google. A system without a redirect would be equal to each and every user giving you their Google password.
This is the kind of thing that OAuth2 was designed to prevent, and so it is not possible.

Related

Is it possible to authenticate a user using google identity without provider's sign in page

Background
I have a web application "APP1" (front-end: Vue.js & Back end:Azure function) deployed in azure app service. I have implemented client directed sign in (easy auth using this), after that I can authenticate user using provider's sign in page [both AAD & google].
Target
I have another web application "APP2" deployed in on-primes server. I want to redirect to APP1 from "APP2" and automatically sign in without provider's sign in page. I will read credentials from environment variable.
Tried solutions
I have found a similar issue here, however I am unable to use the solution because the DB between AAP1 and AAP2 can't be shared
I have also checked the google identity providers documentation, however I am unable to find how to programmatically sign in without provider's sign in page
Question
Is it possible to programmatically sign in to google identity to get token without provider's sign in page
The whole point of google identity is to prove the identity of the person behind the machine.
OpenID Connect is an open standard that companies use to authenticate (signin) users. IdPs use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information. (id_token)
OAuth 2.0. This standard provides secure delegated access. This means an application created by a developer, can take actions or access resources from a server on behalf of the user, without them having to share their credentials (login and password). It does this by allowing the identity provider (IdP) to issue tokens to third-party applications with the user’s approval. (access_token, refresh_token)

Separate authentication and authorization servers for SPA app

I have
UI (a single page app)
an external authentication server
my own authorization server
resource server (my own backend APIs)
Here's what I am trying to do
UI/User gets an AuthN token from the external authentication server.
UI sends the AuthN token to get the an AuthZ token from my own authorization server
UI uses the AuthZ token to retrieve data from the resource server
But the problem is I don't know if the user is still authenticated anymore because I stopped using the AuthN token from step 3. Should I use both tokens together? or somehow consolidate the 2 tokens into one? Hope to get some ideas from here. Thanks!!
COMPONENTS
This is the standard way of managing components:
UI makes an OpenID Connect redirect to the Authorization Server (AS)
AS makes a second OpenID Connect redirect to the authentication system. There could be more than one of these, eg Google, Facebook.
After user sign in the AS issues the same tokens for your UI and resource server, regardless of how the user signs in. The UI sends access tokens to the resource server which can authorize based on scopes and claims received.
Unless you have special reasons, do not use foreign tokens from authentication systems in your own applications. This is because you are not in a position to control their contents.
OPENID CONNECT RE-AUTHENTICATION MECHANISMS
The OpenID Connect prompt and max-age parameters can be used to control how frequently the user is prompted to re-authenticate, and the auth_time claim can be issued in ID tokens to inform the UI of the last authentication time.
For example your app could use access tokens that last 15 minutes. Whenever they expire you could send a request with a prompt-none parameter to see if the user is still authenticated. If not then you will receive a login_required response and you could then redirect the user to re-authenticate.
SINGLE LOGOUT
Knowing if the user is still authenticated suggests you need to know if they signed out in another app. OpenID Connect has four Single Logout Mechanisms that you should be aware of, and which may possibly work for your scenario.
This is a technical area that has never worked perfectly in any Single Sign On technology though. This may be because you do not control all apps, or because of technical limitations, eg Google may not inform the Authorization Server if the user signs out of Gmail.
SUMMARY
Your apps should only use the authorization server tokens. Use OIDC request parameters to control when the user must re-authenticate.

Firebase access token using getAuth()

I am wondering if firebase function getAuth() somehow checks if the the website link to which the token was initially issued is the one that is requesting for the authorization status.
I am concerned that if a malicious website somehow had access to my Firebase.io link, and runs a simple getAuth() in the same browser as my Firebase based backend website, it will be able to access the Firebase token issued to the user of my website.
Any thoughts on it would be greatly appreciated.
Note: I work at Firebase
Firebase Authentication sessions are stored using LocalStorage accessible only to your domain. This means that the sessions are not accessible from domains outside of your control.
If you're using OAuth (Google, Facebook, Twitter, or GitHub login), then authentication is further restricted to your domain via our OAuth configuration in your Firebase dashboard, where you must explicitly authorize domains for access.
Users of email / password authentication can authenticate from any source, provided that the user has access to the password. In short, we ensure that the sessions stored for your domain are not accessible elsewhere. Our top priorities for this product are data security and making that security available to you (as the developer) easily and as the default.
If you have additional concerns that are sensitive for any reason, don't hesitate to reach out to me rob at firebase.com.

OAuth2 but require Multi-Factor Authentication (MFA)

I have an app with confidential PII (social security number, payroll information). I'd like to enable users to login with OAuth IDs (Google, Linked In) for convenience but require those accounts have multi-factor authentication enabled in the identity provider, i.e. fail the login through OAuth2 if the user hasn't enabled MFA in their underlying identity provider account. This allows me to avoid exposing my confidential information to a weak GMail password.
Is there any way to do this?
Unfortunately, no.
In the case of Google and Linkedin, the authentication level is not linked to a specific scope. The Oauth response doesn't specify either if the user used an OTP token or not..
Even if the user is enrolled in MFA, the user can register the computer he's using as a trusted one and in this case, Google will never prompt him for an OTP. This behaviour may prevent many users to access your application.
Actually, I believe you could check on your own session / token to see if it was done through Google, Twitter, Facebook, etc and then require MFA / 2FA / OTP on the first use of that token. Does that make sense?
You could run your own TOTP microservice using Browser Authenticator which has the components you need to generate and verify a key and token in the browser and Node Authenticator which has the complementary server-side code.
Just add your own storage mechanism and an https call to microservice, update the session / token, and viola, you've added two-factor / multi-factor / one-time password authentication right on top of them.

Passing authentication tokens between 2 websites?

Our company has two websites. Both websites have their own subdomains (on same domain). Both websites are using the same LDAP server for authentication.
Is there a way to authenticate users only once, and allow the (authenticated) user to access either website so that we don't have to login in to each site separately? For example, I'm logged in to siteA.domain.org, then I click on siteB.domain.org -- in this case I wouldn't be prompted to login to siteB.domain.org because I'm already authenticated to siteA.domain.org.
You probably need to add some info to your question regarding how you're doing your authentication. OAuth is an authorisation protocol, with a side-effect of authentication in some circumstances. So (for example) in Google OAuth, the user signs in to Google, not your website. Your website can test if the user is signed in to Google, and if so, obtain an access/id token to know who the user is.
So it all depends how your site is choosing to handle "login"