I have an app where we take care for the authentication, meaning - we store the usernames and their passwords.
Now, I want to add an SSO option to the app.
Obviously, for normal user, the password field on the User model is required. What is the best practice regarding users coming from SSO login? (they must be saved in my db anyway, but do not have password)
**The app is written in RoR with devise and devise-saml-authenticatable (with Azur AD as my IdP) but my question has no relation to it.
They don't have a password that you have access to... that's the point of single sign-on, the identity provider handles all of that. You tagged SAML, so I'll speak to that, but this is broadly true for other SSO systems.
You are the Service Provider (SP). They get redirected from the Service Provider (your app) to the Identity Provider (IdP), log in, and are returned to your application with a SAML Assertion. Because there is a trust relationship established between the SP and IdP, you inherently trust the assertion from the IdP (so long as the certificates, etc.), so the user doesn't need to provide you with a username. Their "credential" is the SAML assertion.
Since the password isn't needed, it doesn't need to be set. If your DB schema requires that field be non-null, alter your schema, or load it with random data when you provision their access.
Note: SAML is for authentication, not authorization.
Related
We have a third party company developing a mobile app and they want to call our API's. Our API is protected with Identity Server 4 which uses OpenID Connect and OAuth2. In order to access our API's would their app have to pop open a mobile browser so the user can log into our system? What if users already authenticated with the third party's identity provider? Seems like that would create a negative user experience to authenticate two different times while using the app.
My understanding is we would add their app as a client in Identity Server using the authorization code grant. Would we add their identity provider as an identity provider that our Identity Server can call?
Any help on this would be greatly appreciated. I've researched myself into a hole.
would their app have to pop open a mobile browser so the user can log into our system?
You are pretty much right on your assumptions that their app would have to somehow initiate oidc flow to allow the users of the mobile app to authenticate with the authority of your API (identity provider).
Seems like that would create a negative user experience to authenticate two different times while using the app.
It seems that this is what's holding you back. Firstly, that mobile app's identity provider is separate from your API's authority and it is important to understand that the "user" authenticated with the other identity provider means close to nothing to your API because the token has been issued by a different authority and it's not even a "user" from your user base.
My understanding is we would add their app as a client in Identity Server using the authorization code grant.
Yes, but check also Authorization Code grant with PKCE which adds extra security measures.
Would we add their identity provider as an identity provider that our Identity Server can call?
Yes, you will need to do that, but this is just a start of the things you would need to do to achieve what you are looking for. Because you already have Identity Server 4 in place, I assume your systems already have an established user base, therefore if you just redirect to the external identity provider, once a user authenticates there and the token is issued back - that kinda means nothing because you don't have any kind of mapping from the user of the third party system to the user of your system.
There is pretty much nothing out of the box in Identity Server 4 that will help you with this, but one way to tackle this is to implement some sort of account linking mechanism, where the users would first have to "link" their account in your system with the account in the third party system. With account linked, you would have means to issue claims related to your system.
Identity Server 4 absolutly has out of the box solutions for this. If they didn't, what would be the point calling themselve a OAuth 2.0 framework?
You do not need to initiated a oidc flow like stated. What does that even mean anyway? oidc is connection protocol, not a flow. Flows include hybrid, implicit, clientcredential, etc.
You could obtain an access token for your 3rd party app a number of ways all use the token endpoint built into identity server 4 specifically for creating access tokens The most common is using the ClientCredential flow, where you gain a bearer token by hitting the identity server 4 token endpoint passing the client_credentials grant type with the ClientId of the client they want to access, a shared secret supplied by you, and the api scope they are attempting to access.
Another option is you could create a user for this client on Identity Server 4, then gain an access token using the ResourceOwnerPassword flow by hitting the token endpoint passing the password grant type, clientId, username, and password, again along with the api scope they want to access.
For information on how to do all of the above check out his link. It will help you on your way.
http://docs.identityserver.io/en/latest/endpoints/token.html
I'm trying to authenticate users with the SAML protocol.
So far I have two applications in two different identity providers (Auth0 and OneLogin) to test. I also have my service provider.
What I'm trying to do is authenticate users without redirecting them to any Identity Provider login form.
Something like this:
The user tries to log in to my application (made in React)
My server provider receives the request made by the user and sends
the credentials (username and password) to an identity provider
using the SAML protocol.
The identity provider validates the credentials, if they are
correct, return a SAML assertion to my server provider; otherwise,
it will return an error.
Depends on the identity provider's response if the content is sent
to the user or not.
I know that it is not the intended use of SAML, but I want to know if there is a way to do it and how it will be possible.
Any help or advice will be well received, thank you.
That's not how SAML works and I'm not aware of any SAML identity providers that accept the user's name and password.
It is possible to include the user's name in the SAML authn request sent to the identity provider but there's no provision for including a password.
I think there are a number of security considerations if you were to prompt a user for their credentials for one web site (ie the identity provider) at a different web site (ie service provider).
Using SAML SSO, if the user isn't already authenticated at the identity provider, it will prompt the user to login.
A project I’m working on consists of a web API, a single page react application, and a mobile application. From each client, the user would need to supply their username and password in order to access protected parts of the web API. I’ve set up an Identity Server 4 authentication server that uses my own implementation of the IProfileService and IResourceOwnerPasswordValidator interfaces because I’m using ASP.NET Core Identity. This allows Identity Server to access the ASP.NET Core Identity UserManager, RoleManager, and SignInManagers to determine if the supplied username and password is valid.
The grant type I have been using for all of this is the “ResourceOwnerPassword” type. I haven’t totally integrated authorization into the single page app, but I can pass a user’s username and password to the identity server and a token is generated that I can add to the header of a request to my API.
I’ve done more research about Identity Server and related technologies because I’m new to all of this. It seems like it is undesirable to use the ResourceOwnerPassword grant type. From what I can tell it seems like I should be using the Implicit grant type, but I don’t fully understand how usernames and passwords fit into that flow. Does anyone have any insight into which type I should be using? Is the system I described only possible using ResourceOwnerPassword grant type?
The resource owner password grant type has this written about it on the IdentityServer docs:
The resource owner password grant type allows to request tokens on
behalf of a user by sending the user’s name and password to the token
endpoint. This is so called “non-interactive” authentication and is
generally not recommended.
There might be reasons for certain legacy or first-party integration
scenarios, where this grant type is useful, but the general
recommendation is to use an interactive flow like implicit or hybrid
for user authentication instead.
(Emphasis is mine)
All other flows involve redirects: the user clicks login on your website and is redirected to an identity server login page instead, they enter their credentials there and then are redirected back to your original webpage.
This is the same using your Google account, for example, to log in to other websites. Google wouldn't want you to enter that users name and password into your own site, because you could steal them, and this is generally why the resource owner password grant type is discouraged.
But if you are doing a first-party integration (i.e. the website is yours, and you trust yourself with the user entering their password on your website) then I don't see what the problem is.
You should have a read (and look at the examples) for the other flows/grant types. They definitely have their place and I am not dismissing them, but if you are doing a first party integration then what are doing should be fine.
In section 1.1 of RFC 6749, there are four roles: resource owner, resource server, client, and authorization server.
Does OAuth become redundant or unnecessary if the client and the resource owner are the same entity?
For example, I have a closed API and a front-facing web server. (The front-facing web server would be both the client and the resource owner.) I am trying to decide whether to switch to OAuth 2 authentication instead of using the current username/password authentication method. Is there any added security for moving to OAuth 2 if the API remains closed to third-party applications? (That is, no third-parties will ever have access to the API.)
Thanks!
In the case where the Resource Owner and Client/Resource Server roles coincide OAuth 2.0 may become less relevant from a security point of view, since one of the primary objectives of OAuth not to expose primary credentials of the user to the client becomes moot. That is also the reason why the so-called Resource Owner Password Credentials grant is considered to be a legacy/deprecated flow.
However, it may still make sense to follow the OAuth 2.0 pattern for a number of reasons:
the ability to leverage a standardized protocol through stock libraries and
frameworks without relying on custom code
the fact that in your case the Resource Server is still made strictly OAuth 2.0 compliant, dealing with Clients presenting access tokens, irrespective of what the Client/Resource Owner relationship/implementation is; this would make it easier to allow for 3rd-party client access in a future scenario
the fact that you concentrate verification of user credentials on a single path between Client and Authorization Server so each of your Resource Servers don't need to be bothered by checking user credentials individually, possibly dealing with different authentication mechanisms
and perhaps most importantly, also security-wise: once the user has authenticated through the Client using his primary credentials, the Authorization Server can issue a refresh token as well as an access token; the Client can store and use the refresh token to a new access token when the old one expires; this frees the Client from storing the primary user credentials if it wants to keep accessing the API for a long period of time without requiring explicit user interaction and authentication and makes the resulting system less vulnerable for leakage/loss of user credentials since the user credentials (password) are not stored in the Clients
If you have the following issue then you should use OAuth;
Let's say you a Gmail like web mail provider. Some of your users are using a third party app which logs in into your user's account and auto replies certain emails for you. Or you are Facebook like social network web site where some of your users use a third party app which analyzes your friend networks and prints a 2D graph for you. In this case your users are giving away their usernames and passwords. How would they prevent a certain third party app accessing their account after they gave away their username and password? Simply by changing their password. Now you have another problem; other third party apps won't be able to access the user's account. Then the user have to re-give away his password to other apps he trusts. Now this is problem too because it is not user friendly. OAuth is simply a temporary password that your user gives away to a third party app developer. He can revoke it whenever he wants without changing his own password.
Other than that OAuth is unnecessary. Just use a session cookie if you are not going to have third party app developers. It is a random string stored in user side. And on the server side will have whatever you want. Just look how PHP sessions are used and stored on server side. You can define their lifespan and refresh time automatically from php.ini.
We are in a complex authentication environment and need to support authenticating against a number of disparate sources in applications we are developing. Since we don't want to be duplicating authentication code all over the place, we are looking at wrapping the various authentication sources with a single OpenID provider, and then having the applications all depend on that service.
The sources we have to allow authenticating against are things like Active Directory Username/Password, Kerberos, generic LDAP, external OpenID providers, etc.
For example, in the Kerberos case, when the user hits the OpenID provider's authentication page, if (s)he can be authenticated with Kerberos, and has already given permission to the requesting app, the user would be transparently authenticated as if a password was entered and passed back to the requesting app.
So, the question is, can we have create an OpenID provider that handles authenticating through all of these various methods? Does the provider have to implement how it authenticates the users in a specific way?
OpenID 2.0 specification do not specify how to authenticate users at the OpenID Provider there for it is vendor specific. So my answer is Yes, you can have an OpenID Provider that handles authentication through all those methods but you have to figure out how to, for example how to present the Kerberos tickets to the OpenID Provider is up to you to decide.