I'm trying to deploy a SOAP based authentication API in WSO2 Identity Server.
I want to deploy an Identity Provider based on JDBC (MySQL) User Store and expose it in a Service Provider to authenticate (user, password) and register users.
The User Store is already configured by MySQL. But, I don't find a clear documentation/tutorial/example to do this.
Can anyone help me?
Thanks.
I answer my own question:
http://soasecurity.org/2013/12/10/user-role-management-with-wso2-identity-server-apis/
Identity Server has an API to management user role, allowing authenticate, addUser, etc.
Related
We have a third party company developing a mobile app and they want to call our API's. Our API is protected with Identity Server 4 which uses OpenID Connect and OAuth2. In order to access our API's would their app have to pop open a mobile browser so the user can log into our system? What if users already authenticated with the third party's identity provider? Seems like that would create a negative user experience to authenticate two different times while using the app.
My understanding is we would add their app as a client in Identity Server using the authorization code grant. Would we add their identity provider as an identity provider that our Identity Server can call?
Any help on this would be greatly appreciated. I've researched myself into a hole.
would their app have to pop open a mobile browser so the user can log into our system?
You are pretty much right on your assumptions that their app would have to somehow initiate oidc flow to allow the users of the mobile app to authenticate with the authority of your API (identity provider).
Seems like that would create a negative user experience to authenticate two different times while using the app.
It seems that this is what's holding you back. Firstly, that mobile app's identity provider is separate from your API's authority and it is important to understand that the "user" authenticated with the other identity provider means close to nothing to your API because the token has been issued by a different authority and it's not even a "user" from your user base.
My understanding is we would add their app as a client in Identity Server using the authorization code grant.
Yes, but check also Authorization Code grant with PKCE which adds extra security measures.
Would we add their identity provider as an identity provider that our Identity Server can call?
Yes, you will need to do that, but this is just a start of the things you would need to do to achieve what you are looking for. Because you already have Identity Server 4 in place, I assume your systems already have an established user base, therefore if you just redirect to the external identity provider, once a user authenticates there and the token is issued back - that kinda means nothing because you don't have any kind of mapping from the user of the third party system to the user of your system.
There is pretty much nothing out of the box in Identity Server 4 that will help you with this, but one way to tackle this is to implement some sort of account linking mechanism, where the users would first have to "link" their account in your system with the account in the third party system. With account linked, you would have means to issue claims related to your system.
Identity Server 4 absolutly has out of the box solutions for this. If they didn't, what would be the point calling themselve a OAuth 2.0 framework?
You do not need to initiated a oidc flow like stated. What does that even mean anyway? oidc is connection protocol, not a flow. Flows include hybrid, implicit, clientcredential, etc.
You could obtain an access token for your 3rd party app a number of ways all use the token endpoint built into identity server 4 specifically for creating access tokens The most common is using the ClientCredential flow, where you gain a bearer token by hitting the identity server 4 token endpoint passing the client_credentials grant type with the ClientId of the client they want to access, a shared secret supplied by you, and the api scope they are attempting to access.
Another option is you could create a user for this client on Identity Server 4, then gain an access token using the ResourceOwnerPassword flow by hitting the token endpoint passing the password grant type, clientId, username, and password, again along with the api scope they want to access.
For information on how to do all of the above check out his link. It will help you on your way.
http://docs.identityserver.io/en/latest/endpoints/token.html
My question is rather large as I didn't know exactly what to ask, if you have a more specific title don't hesitate to edit.
I'm currently working on a poc where the scenario is the following :
the end user (bob) wants to access some application (randomApp)
randomApp calls our apim which will first check that the randomApp is registered onto the store with an access token and has access to the API
then pass it to the identity server (IS) which will check with the inbound authentication component with for example openID Connect that the randomApp is registered as a service provider and that OAuth key & secret match
this randomApp has some federated authentication declared in the local & outbound auth component to redirect it to an openID Connect (OIC) server where bob will actually authenticate to access the ressource
the OIC server is declared as an identity provider with some credentials from the OIC server, all the URL from the OIC server are declared auth, token and callback endpoint.
bob authenticate correctly, the info is then passed back to the IS which give it to the SP who can finally call the API and display bob's information.
Is this scenario conceivable ? I'm having a hard time grasping every single interaction between all the components. Let me know if some steps are not necessary, overkill or else. I've been playing around with the playground from wso2 but I'm not sure that it depicts exactly the scenario I want.
To summarize : end user -> service provider -> wso2 identity server -> OIC server and go back the other way. What would be the best "setup" for this ?
I hope the article use-cases-of-utilizing-saml-with-wso2-api-manager will be useful for your requirement. In this article, the flows are explained with SAML protocol. You can use the same functionality with OIDC as well.
I am using in-memory DB for storing user details in WSO2 Identity server. I create couple of users via UI and now I want to authenticate those user using some external application.
Is there any available WSO2 service which takes User credentials and authenticate based on the details provided? I saw few articles where they mainly talking about User Stores. But there, I think, they directly connect to DB to compare the credentials.
There are multiple ways to authenticate a user from Identity Server. Easiest way is that you can call the admin service (SOAP service) for authentication (RemoteUserStoreManagerService/authenticate). Or you can create a OAuth application inside the IS and use resource owner grant type to pass the credentials and authenticate.
You can find admin service related information from here [1] and password grant related information from here [2]
Is there any available WSO2 service which takes User credentials and
authenticate based on the details provided?
I believe we've misused the Token API service ( /token with password OAuth profile) to request an OAuth code and the WSO2IS effectviely validates the user's credentials.
I suggest your application would stick to some authentication and authorization standards supported by the WSO2IS, such as OAuth 2.0 or SAML.
I need to expose some APIs through wso2 api manager, but with three important features:
Some APIs need 3-legged oauth access control;
The oauth authentication must be made through an identity provider already configured in wso2 identity server;
Need to give the resource owner the ability to manage (list and revoke) subscribed applications
Can anyone give me some tips to achieve this scenario?
Configure Three Legged flow with OAuth 1.0a.
Refer http://tharindue.blogspot.com/2015/04/three-legged-oauth-10a-playground_23.html for more details
If IS as KeyManager is configured on APIManager, Identity Server is the Identity Provider.
When a developer create an application on API Manager Store, he has manage permissions to that application. All other subscribers use the key and secret pair, has subscribe permission only.
For additional informations:
http://wso2.com/library/articles/2016/05/article-the-benefits-of-integrating-wso2-identity-server-with-wso2-api-manager/
https://docs.wso2.com/display/IS460/Authorization+Code+Grant+Type+with+API+Manager
I'm new to Azure ACS and working with a web site that implements Azure ACS. I need to write a web service that needs to be secured with authentication via an Identity Provider first (e.g. Facebook).
I'm having a hard time finding a simple sample that can help me accomplish basically the 2nd scenario laid out in this article: http://msdn.microsoft.com/en-us/library/gg429784.aspx ("By presenting a security token from another trusted issuer (Identity Provider) that has authenticated that client").
For what it's worth, I was able to find a great example that lets the client authenticate directly with ACS using ACS Service Identity (i.e. username/password) here: http://blog.siliconvalve.com/2013/06/25/protect-your-asp-net-web-api-using-azure-acs-service-identities/, but I need the client to authenticate via FB to identify who that client is.
In case someone else is also looking for this information, here's a sample I finally was able to obtain after contacting Microsoft Azure ACS support: http://code.msdn.microsoft.com/vstudio/AAL-Native-App-to-REST-de57f2cc