IdentityServer 3 and navigating between multiple web applications on same/different domains - authentication

Question
I am pretty sure my question is not directly related to IdentityServer’s features, but I hope you, guys, can give me an advice to help with next issue. In our environment, we have several web applications running on different domains/machines, which are using IdentityServer as an authentication authority. Everything is working just fine in terms of authentication and authorization and with SSO users can get access to all apps.
This is a problem:
User navigates for the first time on, let’s say, WebApp1 (http://domain1/WebApp1) which requires authentication – user automatically redirected to IdSrv login. Users enters credentials and then redirects back to WebApp1. Everything is working fine, base “.AspNet.Cookies” –cookie is created and user can navigate within WebApp1 resources without concerns. After wile users navigates to WebApp2 on the same domain (http://domain1/WebApp2). During navigation app makes roundtrip to IdSrv making sure that user is authenticated and returns to WebApp2 (no new login required) – this is ok. But then, if user wants to go back to WebApp1, the new roundtrip to IdSrv is occurred and that is what I want to avoid! And this happends each time user switches between apps.
Is there any way to prevent those IdSrv roundtrips on every navigation between multiple WebApplication on same/different domains? One workaround I found is to use different names for ASP.NET cookies for each applications, but this makes identity sign-out way more complicated.
Also got advice from #brockallen to use diffent cookie name for each separate webapp, but what about single sign out? Once logging out on WebApp1, WebApp2 still remains logged in until new roundtrip to IdScrv will ooccur or cookie exp

Related

How to force login per client with keycloak (¿best practice?)

We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page

Association of OAuth between providers

I was looking at Khan Academy and I'm wondering how their authentication works (probably many other websites have it the same).
When you login with facebook account that has email "aaa#gmail.com", you completely logout, open another anonymous window, and login with google account that has the same "aaa#gmail.com" email, you log into the previously created account.
My questions are :
Do they make association to account based on email your social account has ?
I'm sure their solution is secure, but is this common and normally doable so there won't be any possible exploitations ?
I'm using a system of Oauth2 to grant access to my app, dvouch
First you have a registered user in your website, with an unique email.
So what basically happens is:
User visits your website (website doesn't know who the user is)
User clicks to login through one of the Oauth2 providers
Your website proceeds to start a "OAuth2" handshake, it redirects the user to the provider oauth endpoint, along with some information, like what scopes you're asking for (email, personal info, public info, etc), the url to send back the user after the authentication is done, your application tokens (that are registered in the providers app dashboard), and so on.
Let's say the provider you chose was facebook. Facebook receives your request for an OAuth2 authentication. It also receives the scopes you're asking for, which url you want the user to go to after being authenticated, and your application credentials
It checks that the credentials you're sending are valid, that the callback url you're asking the user to be sent after also matches what they have registered for your app (so that someone can't simply steal your app credentials and have users redirected somewhere else) and if everything is fine and dandy, it will then present the login window to the user. This login is happening on the provider's page. Not on your website.
The user logs in (inside facebook or google not your website). The provider sends them back to the call back url you specified in the beginning of the handshake.
You (your website) receives the user back with a bunch of information, such as the email of the user who just completed the Oauth2 flow.
At this point you use the email that came in the callback and identify the user through the email. Since all emails are unique, and since your user had to be registered with that email on the provider, you are safe to assume he's the owner of the email.
(technically things might happen a bit differently)
It's basically very secure as long as the website has the regular security measures. Of course if someone has access to your Facebook(wtv) account or email they can login as if they were you, but that would happen either way they offered Oauth or not.
Then as long as you verify you're logging in the correct provider's website (like facebook's or google and not something else) you'll be fine since no one else will be able to see your login. Since a "scope" of authorizations has to be passed as well you as a user can also see what the application is asking for (email, access to your inbox, wtv) and decide if you want to grant those scopes or not, if you decide not to grant access then facebook will not pass back that information, which in turn renders the process safe.
The only way it wouldn't be safe would be if you had malicious software installed in your computer to log your activity and in this case you would be screwed either way.

Log user out of multiple IdentityServer clients

We have a project that uses IdentityServer4
https://github.com/IdentityServer/IdentityServer4
We have 3 domains: auth, admin and www
IdentityServer runs on auth and the other two are ‘clients’.
www uses the Hybrid flow (cookies)
admin uses the Implicit flow (it is a SPA, using oidc-client)
We have a single login page hosted on auth. When the user logs in they are taken to www. Some users are allowed to access admin and they will see a link in the navigation.
After you login, when you access the admin you can see the authentication happen automatically and return to the callback URL. This all works fine.
However if I logout from the admin I can still access the www, and vice versa. Ideally we would like the logout to log the user out of both clients at once.
Is this possible?
Note: I'm the front end developer on this project, so the guy who actually implemented it may provide additional details in comments below.
Yes this is possible.
The docs for idsrv4 are not done yet - but it works pretty much like this
https://identityserver.github.io/Documentation/docsv2/advanced/signout.html
This is an implementation of the signout spec for JS
https://openid.net/specs/openid-connect-session-1_0.html
..and for web apps
https://openid.net/specs/openid-connect-frontchannel-1_0.html
you need to read those documents to understand the mechanisms

IdentityServer V3 does not accept login

We are trying to build OAuth2 Authorization with IdentityServer3.
So we downloaded the Bytes from nuget and connected it with our database.
The database was initialized with the default scopes and the sample clients from Thinktecture self.
Then we connected AD FS as IDP via OWIN and made an simple ExternalUserService.
So far everything worked fine and the permissions page of the IdSrv could be opened, showing the username and that no application has consent up to now.
Then we tried to connect Xamarin.Auth to that and got an error Cannot determine application to sign in to and in the logs an error Signin Id not present (after logon at the ADFS IDP).
To reduce complexity, we decided to go back to the InMemoryUserService and created one InMemoryUser. This worked for the permissions page (at least for a short period of time - time is over now), but it did not allow OAuth2 Authorization Code Flow, which ended up in showing the login page again and again and again. And there is no evidence of any error in the logs.
How can we debug, what is happening? Is there any way to see, why a user gets redirected to the login page again despite being logged in?
--
We reduced the complexity even further by creating a new empty MVC application, which just uses a simple InMemoryUserFactory.
Now it's getting a little bit confusing: one user was able to logon from his machine - other machines (same user - since we created only one) are not able to login and get prompted with the login over and over again.
If using IdentityServer3 and you use own external login methods you should really pay close attention to the API of the IdSrv3.
We tried to create a login resutl with just the subject - this is made for local login on the server. If this is switched off at the same time, you will end up having problems.
So if you use an own external login provider and switch off local login, make sure to call the right overload for the authenticate method (3 Parameters in our case).

OAuth2 Authorization Code in Cookie, good or bad?

I can not seem to find a SIMPLE answer to the question on how to persist OAuth2 authentication... Let's take Google+ OAuth2 API as an example.
User goes to page
User is not authenticated, and gets redirected to authentication page where he logs in
User logs in successfully and authorises my app
User gets redirect to specified (by me) URI with Authorisation Code
I use authorisation code to obtain a token in order to submit queries in the name of the user
All is good and well. My question is: how do you SECURELY know at step 2 that the user visiting the page is already logged in, without having to go through the whole process of redirecting him to all these pages.
I assume storing the Authorisation Code retrieved at step 4 in a cookie is not an option.
All of this will happen in a server-side (Go - if that matters) application.
Any help is much appreciated... I need a simple solution.
Thank you!
use server-side sessions to store any authentication state or even access tokens if you need them.
one solution is to use a database for session store (an encrypted cookie holds the session id)
and another is to use cookie sessions (encrypted cookies that hold the session data).
using encrypted cookies that only the server is able to decrypt should be safe enough.