Im trying to make a button in my app that takes the user directly to the IDP, instead of going from my app to my auth provider where the user has to pick an IDP and then goes to the IDP.
I tried supplying the link with identityProviderId and the respective IDP ID, but that didn't work at all.
So how do I get the desired flow?
This thread looks useful: https://fusionauth.io/community/forum/topic/229/how-to-open-identity-provider-directly
I would use the lookup API to get an authorization_endpoint for the relevant identity provider. Then I'd have the button point directly to the authorization_endpoint rather than the FusionAuth login page.
Related
is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.
I am playing with JWT and expressJS to learn something new, and come up with the idea to make my little JWT provider to use for all my future personal projects.
The idea is quite simple, my provider will register with facebook and twitter API, and will use passport to authenticate with them. I will also store users credentials so I don't need to worry about that in my other projects (these project will hold their info about users but various data from socials/passwords etc.. will be in the provider).
I coded this little workflow:
I register the app in my provider with a callback url
Put a button (e.g. 'Login with Twitter') on my project, that links directly to my provider
when I accept the Twitter conditions, twitter callback calls my provider that pick the right user and redirect to my project.
I am stuck on this last point, I would love to pass to my project the JWT token to use for its next requests, but how do I pass to it?
Cannot set cookie because domains are different obviously, I am missing something? Did I follow the wrong way?
The authentication flow you describe is similar to OAuth2. I suggest to read the RFC 6749. It explain the technical details to implement it. You can also refer to OpenID Connect. It is an extension of OAuth2 using JWT
Basically you need to create an access token after a successful login and return a redirection to the callback url. The adapted flow to your context could be the following
App redirects user to central login form
The server prompts user for the credentials :It returns an HTML form with the supported authentication methods, that can include a connection with a third party authentication provider
After a successful authentication, the server creates an access token. It can be a JWT
The server returns a redirection to the provided callback url. It includes an authentication code
The app request the authentication server using the previous code and get an access token
The token can be used by app to access to a protected resource
In Oauth2, the access token it is just a random string, but you can use JWT perfectly.
I have a web site with an initial login page, on this page I'm using a claims based identity which is authenticated when a user successfully logs in.
This all works fine, from this main site I have a number of 'sub sites' (that also require logins), and I'm looking to use the same authenticated identity to log into these (e.g. so a user does not have to enter login details every time).
Is there a way to pass the initial authenticated claims-based identity to these sites securely? If so could someone point me in the direction of any useful material on this?
EDIT
Just to clarify in response to the answers below, I am currently using Single Sign On and have this working as follows.
User logins in to https://mywebsite.com/loginsite with Single Sign On. Claims-based identity is authenticated.
What I'm wanting to do is use this same authenticated Claims to log in to the following url in the same domain:
https://mywebsite.com/website1
But whenever I try to access the Identity the authentication is false. Is there a way to achieve this?
What you mentioned is generally referred to as SSO (Single Sign On). See the Auth0 page How to Implement Single Sign On for one way to achieve this.
Single Sign On works by having a central server, which all the applications trust. When you login for the first time a cookie gets created on this central server. Then, whenever you try to access a second application, you get redirected to the central server, if you already have a cookie there, you will get redirected directly to the app with a token, without login prompts, which means you’re already logged in.
(emphasis is mine)
Disclosure: I work at Auth0.
Here's my problem:
I have an existing authentication provider (I control the source code) that uses OWIN cookies for authentication. The login process has many steps with custom screens. Now I want to integrate that provider with identityserver3.
Here are my ideas:
A: Implement a dummy view service for identityserver3 that does meta redirect to the login page of my existing provider. The bad part is when I have to finish the login process, because the only way i see is to self-post a form to identityserver3 with the user name and password.
B: I can have identityserver3 in my provider project and render the entry login screen of my provider (there's a very hacky example in the sources for MVC) , but again, like point A, in the end i have to somehow post user name and password back to identityserver3
C: use the external providers in identityserver3. For that I need to automatically redirect to my provider and register a custom authentication middle-ware. Because our provider is a standard OWIN coookie provider I thought I could use Katana's CookieAuthenticationMiddleware but that does not seem to work.
What is the right way to achieve what I want (integrate my cookie provider with identityserver3)???
Option D: Use the OWIN environment extension methods to tell IdSvr who your user is: https://identityserver.github.io/Documentation/docsv2/advanced/owin.html. This will still have IdSvr issue its own cookie, though. It might just make sense to drop your own cookie middleware, and let IdSvr manage the cookie.
I am using a Oracle SSO server to authenticate users of my APEX app. I wish to display user's first name and last name on my app, I don't want to ask the users for this info. How can I get this info from SSO server ? Do I have to read cookies?
When using SSO, this information is typically passed in to your application through a custom header. You should be able to configure the SSO provider to pass the user name back to your application through the header, and the client side of your application should have an API for withdrawing it from there.
It depends how your Identity Provider (IP) is configured - in our case, the encrypted artifact passed to our application (via a cookie in our case, but could be passed in the querystring or posted to your app) contains the information about the logged in user that our IP has configured to send to us.