Are a user's certificates linkable if he creates a new one? - cryptography

If I as a user interact with a service provider twice, and obtain a new certificate each time, will the service provider then be able to know that I am the same person? If yes then how?? I cant seem to find anything about this....

Related

How to programmatically create keycloak user session from SPI?

I need to get access/refresh pair (or at least access) tokens from a custom REST endpoint.
So in general I need programmatically create a user session from SPI by user ID(without a user password)
Could you please suggest a better way or any examples, I'm not experienced in keycloak and I feel like missing something.
my keycloak version: 15.0.2
I think about using token_exchange and:
http://{ip}:{port}/auth/realms/{realm}/protocol/openid-connect/token
But not sure if it's will work as I expect, and if it's the best way.
If I understood correclty, you want to do user impersonation. Ie: create a token on behalf of user, without his consent.
To do that, externally to Keyckoak, you can use token exchange feature. This doc will help you: https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange
Basically, the idea is that you'll give to a client permission to create tokens for any user you want.
But your question is how to do that from inside a Service Provider Interface loaded by Keycloak.
To programmatically impersonate a user, you can actually just do as the token exchange code do.
Take a look at https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L131
You'll have to create a session for the desired user and build her token.
The crux it's here https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L227

Website and Native app user authorization

I wish to create a functionality that is very similar to facebook or pokerstars if you have used them before. Basically the apps require the user to login and their information can be accessed from both browsers and native and web apps.
How can I go about achieving this? Please advice on what services to research on to accomplish this. To my current understanding. I would be creating the website in html and php and creating a webservice using RESTful protocols and hosting them on amazon aws servers. I can then connect to these servers in the native apps? I am not very clear on how the native apps will interact with the servers
If you know of any particular protocol or a better server hosting service please let me know.
If I'm interpreting your question correctly, you are looking for something like this:
The user starts either your browser app or your native app (perhaps a mobile app)
Since the user does not have an account yet, you present them with the appropriate dialog to create said account.
You then ask the "Identity Service" to create a profile for that user
The identity service returns a token for access
This is something we do in the mobile network industry all the time. Technically, we have TAC/ACS or HSS profile services, but in either case, it's the same thing -- a dedicated service and network process that:
Accepts connections from various clients (web, mobile, desktop...)
Has various primitives along the database CRUD (Create, Read, Update, Delete) model
Answers requests the database
If you want a pre-configured solution, you could just use any networked database with a RESTstyle connector for example (MongoDB maybe?) But you could also just through this in a process that talks to a NoSQL or SQLLite database. The end result is the same.
For commercial solutions, I might like at OpenStack as you can run your code on it and they have identity brokers you might be able to CoOpt.
Personally, I'd just have a datastore running on a cloud somewhere like Amazon's EC2 which answers RESTful requests such as:
Create a user with a given profile set, return a unique token
Delete a user given a token
Update elements of the profile for a given token
I'm leaving out the necessary things like security here, but you get the idea.
This also has the advantage that you can have a single identity service for all of your applications/application services. The specifics for a given application element are just sub-fields in the profile. This gives you, not only a common identity broker for web, desktop and mobile, but a single-sign-on for all your applications. The user signs in once and is authenticated for everything you have. Moving from site to site, now just became seamless.
Lastly, you place your identity management, backup, security token management, etc OUTSIDE of your application. If you later want to add Google Authenticator for second-factor authentication, you don't have to add it to every application you have.
I should also add that you don't want to keep the identity database on the direct internet connection point. Someone could make your life difficult and get ahold it later on. Rather, you want your identity server to have a private link to it. Then do something like this:
When the account is created, don't store passwords, store hashes -- much safer
Have your application (web or otherwise) compute a key as the login
In this case, the user might enter a username and password, but the application or website would convert it into a token. THAT is what you send across.
Next, using that token (and suitable security magic), use THAT as the owner key
Send that key to the datastore and retrieve any needed values
Encrypt them back into a blob with the token
Send the block
THe application decrypts the blob to get at values
Why do we do this?
First, if someone were to try to get at your identity database, there's nothing useful. It contains only opaque tokens for logins, and blobs of encrypted data. Go ahead -- take the database. We don't care.
Second, sniffing the transport gets an attacker nothing -- again, it's all encrypted blobs.
This means later on, when you have five applications using the broker, and someone hacks the network and steals the database, you don't care, because your users never gave out logins and passwords in the first place, and even if they did, the data itself is garbage to anyone without the user key.
Does this help?

Missing claims from AppFabricLabs

I created rules for "name" and "emailaddress" claims in appfabriclabs' ACS for Windows Live, Facebook, Google and Yahoo... however on the Relying Party side, WIF doesn't seem to see them... I see nameidentifier and identityprovider but nothing else.
is there something else I need in ACS to make this work? how can I check that the claims are actually in there?
* Update *
Apparently, only Windows Live is failing; the other providers return me the claims I configured. Also, the claim for e-mail address (for example) I configured manually since ACS didn't have it... I entered the type as http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and indicated it as a passthrough... does Windows Live not provide e-mail addresses?
* Update II *
well... as per this article I can't just configure it; I'm going to have to do some other voodoo to get at it... but there must be some way to get more than the /nameidentifier/ because when I log into websites using Windows Live ID I'm shown as being logged in as "ekkis" - anyone know how this is done?
Unfortunately, unless you are developing an app inside MSFT, LiveID can only supply a nameidentitifier. This is by design. if you want to use LiveID and need an e-mail, you need to ask the user for it and then correlate nameidentifier <-> e-mail yourself.

Claims not being passed to a Relying Party in ADFS 2.0

OK, so I'm quite new to the whole world of claims aware applications. I was able to get up and running very quickly using Azure ACS but it's been a bit of a different story when trying to use ADFS 2.0 as the identity provider (I want to actually use it as a federated provider, but for the time being I'm just trying to get a sample running using it as an identity provider).
I've been looking at the guides here and have tried to follow the AD FS 2.0 Federation with a WIF Application Step-by-Step Guide guide listed there. It takes you through setting up ADFS 2.0 along with a little claims aware sample application that you can use just to view the claims that are getting sent through.
So I can get that up and running, passing through the claims defined in the guide (just the windows account name). The problem is when I try to add any more. I can go to the relying party application in the ADFS GUI and add an Issuance Transform Rule, using the Pass Through or Filter Incoming Claim rule template. However, when I run my application, unless the added claim type is Name, it won't pass the claim through to my application.
One of the ones that I wanted passed through was the email address for the user who logged in to the application. So I added a rule to pass through the email address, then updated the web.config of the sample application to uncomment this line under the claimTypeRequired section:
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="false" />
Note that I'm setting it as non-optional. I also updated the federation metadata of the application to add in the following:
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="false" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
I then went into the ADFS GUI, went to the Relying Party Trusts and selected Update from Federation Metadata on my sample application. So it now lists the email as one of the accepted claims.
I then went into the Claims Provider Trusts and added the email claim rule into the Acceptance Transform Rules for the Active Directory provider trust (the only one listed).
When I run the app however, it's not passing through the email claim (or any others that I try). Can somebody tell me what I'm missing here?
I should also note, I ran a test to change my application to only accept the email claim rule, and not only did it not pass through the email, but it's still passing through the Windows Account Name and the Name claims, despite the fact that I don't even list them as accepted claims for my application.
If anybody could point out where I'm going drastically wrong here, it would be seriously appreciated.
After enabling logging as per the blog post before, here are the relevant entries from the log:
Event ID 1000, "Input claims of calling principal included in details":
So you can see, the information that I'm requesting is quite clearly missing. I have the logging output set to verbose but there's really nothing of any other interest. You'll see trace records for the NETWORK SERVICE user (with the same set of claims), but nothing striking. All the log entries are informational, there aren't any errors.
If you using ADFS as Identity Provider and want it to issue an email claim, then you have to use Send LDAP Attributes as Claims or a Custom Claim Rule which access AD as the attribute store and issues an email claim. Pass through is used on the incoming claims, assuming the user is already authenticated somewhere. In case of Windows Authentication Windows account name is issued from the Kerberos token and that's why you have to pass it through, but others you have to issue.
Does Active Directory issue E-Mail Address claims? I'm not sure how to check this, but if it doesn't, it's irrelevant that you're passing them through. In this case, you'll want to try a "Send LDAP Attributes as Claims" rule; based on what I see in my ADFS instance, try mapping the "E-Mail-Addresses" attribute to an "E-Mail Address" claim.
I had to do something similar to get UPN claims to come over, in circumstances similar to yours. I'm not sure whether it will matter that the LDAP attribute is potentially plural.

Can OpenID be used to authenticate access to a website client area?

Is it possible to limit the users who can sign in with open id on my site. I have clients that I want to give access to a client area on my website. I don't want anyone with a open id to be able to login just my clients. Is this possible?
One way to do this would be to create a "sign up" form to validate the user. Part of the sign up process would be to associate your OpenID. You can then leave the newly created account in a "pending" mode to be approved by an admin. (note: if you have a different way of adding the clients, you would use that method.)
Basically you would create a profile for a user the same way you would in any other application, except you would replace the UserName / Password portion with OpenID.
OpenID is made for authentification, not for authorization. I am sure, you could make it work (*), however you must keep in mind that OpenID has not been made for this sort of task.
If you want to do it, you must probably restrict the set of allowed OpenID providers to prevent a malicious provider to hand faked/bogus identity URLs to your application (consumer).
(*) how, depends on where you want to enforce the restriction (web server, web framework, etc.)