Is it possible to implement OAuth 2.0 or 1.0 using an Apache HTTPd server module?
I am choosing this route because each and every request will first reach the HTTPd module, so from there I have to authenticate.
If it is possible, please share a related link for that.
I'm going to add to Eugenio's answer by saying that mod_auth_openidc supports two modes of operation:
it can function as an OpenID Connect Relying Party authenticating users by consuming and verifying ID tokens, access tokens and refresh tokens as issued by an OpenID Connect Provider; it will relay information about the authenticated user (and possibly the tokens themselves) to the protected application that runs on or behind the Apache server
it can function as an OAuth 2.0 Resource Server, controlling access from OAuth 2.0 clients by consuming and verifying access tokens that have been issued by an OAuth 2.0 Authorization Server; it can pass on information associated with the access token to the protected application that runs on or behind the Apache server
For both cases, Apache's Require logic can be used to enforce access based on certain claims that are present in the ID token resp. access token.
Update April 12, 2019:
There's now a dedicated module to handle the OAuth 2.0 Resource Server functionality: https://github.com/zmartzone/mod_oauth2
Yes, this is possible. In fact mod_auth_openidc does exactly that for Apache (and for OpenId Connect, which is a protocol built on OAuth2).
More on the scenario here: https://auth0.com/blog/sso-for-legacy-apps-with-auth0-openid-connect-and-apache/
Related
I'm working in microservices environment, where each service authenticates using OpenID Connect to an authentication service (local IdP), based on Users I keep locally on my Database.
Now, I want these services to be able to authenticate using Azure, Google, etc.
Can (and should) I modify my authentication service to allow redirection to another IdP, and replace or chain the token to my proprietary token for my services?
Is there a simpler way?
How can I allow users to login both using name / password OR external IdP?
I'm doing some research on the topic by myself as well and from what I've found until now, it seems that there is a urn:ietf:params:oauth:grant-type:token-exchange grant type that should allow exchanging external idp token to an internal one as described in some spec.
It should be supported as part of the openid connect /token endpoint so as long as the local idp supports it, I guess that this should be the best practice to achieve what you are looking for.
I'm currently looking into mitreid-connect idp implementation as local idp and some of my requirements is to also allow SSO with third parties while being able to issue a local token from the external user identity.
Will update as it goes...
If you manage all the SP (your microservices) it's definitely easier to implement it on your common IDP.
But if the SP are external ones (like existing services you just installed) and they already implements the public IDP you want to use, it was be a bit harder to pass through your current IDP without problem.
I'm guessing you are in the first case (you made all your SP) so I will elaborate it:
When your current IDP will authenticate user on others public IDP, it will get some information (email, name, etc.) and you can normalize those in your answer, to be sure your SP are completely agnostic of which original IDP was used. It will be better for you if the future to debug this setup. And of course to add a new public IDP...
But if you need to use some specific call to original IDP, (let says Youtube API for example) you could have a agnostic API on your common IDP which will forward to the appropriate proprietary API of original IDP, or deny the request if the IDP does not have a video system.
Or you could give original token to your SP, in a custom field or scope of your oidc token, so for example an SP dedicated to video could directly call Youtube API with the google user token.
I recently did a similar setup for my company. I would like to share the overall structure to give an idea about our solution. Hope it helps:
Our authentication server is an node express server with following properties:
Hosts static login screens to allow authentication against local database via email + password, as well as provides links to authenticate with external OAuth2 providers.
Both local and external authentication requests are forwarded to Passport.js Authentication strategies
After successful login, both local and external Passport.js strategies respond to a callback. Upon this response, a session object is created via express-session and a cookie is sent.
At this point, cookies can be used to exchange JWT's, so that authentication against stateless API's can be possible with Bearer Access Tokens.
We are currently analyzing the API gateway for our microservices and Kong is one of the possible candidate. We discovered that Kong support several plugins for authentication but the all based on users stored in Kong database itself. We need to delegate this responsibility to our custom auth HTTP service and don't want to add these users in API gateway database.
It's possible to do this with some code around, instead of using the OpenID connect plugin; in effect you need to implement an Authorization Server which talks to Kong via the Admin (8001) port and authorizes the use of an API with externally given User Ids.
In short, it goes as follows (here for the Authorization Code grant):
Instead of asking Kong directly for tokens, hit the Authorization Server with a request to get a token for a specific API (either hard coded or parameterized, depending on what you need), and include the client ID of the application which needs access in the call (you implement the /authorize end point in fact)
The Authorization Server now needs to authenticate with whatever IdP you need, so that you have the authenticated user inside your Authorization Server
Now get the provision code for your API via the Kong Admin API, and hit the /oauth2/authorize end point of your Kong Gateway (port 8443), including the provision key; note that you may need to look up the client secret for the application client id also via the Admin API to make this work
Include client id, client secret, authenticated user id (from your custom IdP) and optinally scope in the POST to /oauth2/authorize; these values will be added to backend calls to your API using the access token the application can now claim using the authorization code
Kong will give you an Authorization Code back, which you pass back to the application via an 302 redirect (you will need to read the OAuth2 spec for this)
The application uses its client and secret, with the authorization code, to get the access token (and refresh token) from Kong's port 8443, URL /oauth2/token.
It sounds more involved than it is in the end. I did this for wicked.haufe.io, which is based on Kong and node.js, and adds an open source developer portal to Kong. There's a lot of code in the following two projects which show what can be done to integrate with any IdP:
https://github.com/apim-haufe-io/wicked.portal-kong-adapter
https://github.com/Haufe-Lexware/wicked.auth-passport
https://github.com/Haufe-Lexware/wicked.auth-saml
We're currently investigating to see whether we can also add a default authorization server to wicked, but right now you'd have to roll/fork your own.
Maybe this helps, Martin
Check out Kong's OpenID Connect plugin getkong.org/plugins/openid-connect-rp - it connects to external identity and auth systems.
We have a scenario where we have to authenticate the user with LDAP server
Flow 1:
client --> application server --> LDAP server
In above flow the client enters LDAP credentials which comes to application server and then using python-ldap we can authenticate the user, straight forward. Since the user LDAP credentials comes to application server an organisation may not be willing for such flow for obvious reasons.
Flow 2:
client --> oauth2 --> LDAP server
Oauth scenario suites best here, since authentication of the user is responsibility of the oauth and application server do not need to know the user credentials.
Have anyone encountered such case, if yes, how you tackled it?
Is there are any Oauth client for LDAP free and paid ?
If you don't want user credentials to reach the Application server then what you need is a perimeter authentication. You need to have an external authentication provider , say Oracle Access Manager, that will perform the authentication and set a certain token in the request. The application server can assert this token and let user access resources. This model enables SSO as well.
The resources that require authorized access are configured as protected URLs in OAM.
When a user tries to access a protected resource he is challenged for credentials.
OAM authenticates the user against an LDAP directory(that is configured in OAM).
A token corresponding to the authenticated user is set in the request. Also an SSO cookie is set.
Application server (Weblogic) can assert (verify) this token and let the user access the resource.
Note: Oracle Access Manager supports oAuth as well.
Ory Hydra https://ory.sh/hydra might be what the original poster was asking for. This question is several years old now but in the interest of helping anyone else who sees this...check out Ory Hydra. It provides the OAuth2/OpenID parts and can be linked to an LDAP server behind the scenes.
canaille is a free and light OAuth2/OpenID service over a LDAP backend, written in python. (canaille developper here)
https://gitlab.com/yaal/canaille
I want to know if it is permissible to pass a user's OAuth 2.0 access token between applications and use it as a method of logging them in.
I have an iPhone application that uses the password grant to authenticate a user, and then uses their access token for future requests. The iPhone application is also able to open up our website in a tab, and I want the user to be logged in to our website when this tab opens.
Under the OAuth 2.0 spec, is it permissible to pass that token to the web request and have the the web server authenticate and log the user in for that request?
For example, the browser might open the following location (but use a header, instead of a query string):
https://example.com/account?access_token=foo_bar
Alternatively, a dedicated endpoint for OAuth authentication and a redirect could be used.
So in effect, my question is in two parts; can an OAuth 2.0 token be shared between application contexts and can a token be used to authenticate a user in another context?
In the OAuth 2.0 Spec (RFC 6749), there are a couple of areas that may be relevant. Basically a client can receive an access_token that is accepted by multiple resource_servers but if the client is comprised of multiple components with different security contexts, it should register each one and use a different token:
Single token across multiple resource servers
A single authorization server may issue access tokens accepted by
multiple resource servers.
Single client with multiple components
A client may be implemented as a distributed set of components, each
with a different client type and security context (e.g., a
distributed client with both a confidential server-based component
and a public browser-based component). If the authorization server
does not provide support for such clients or does not provide
guidance with regard to their registration, the client SHOULD
register each component as a separate client.
I have a web service that acts as a OAuth 1.0a provider. Web applications go through the OAuth 1 workflow to gain access to user resources. So far so good.
The client web application has the need to communicate with the service for other needs, to exchange private data NOT linked to a particular user/resource owner. For that, a good idea seems to use OAuth2, in particular Client Credentials Grant (4.4)(which was designed exactly for this).
From a "confidential client" (and a web application falls into this category, according to the OAuth specs) you can directly authenticate your client and get an access token.
EDIT: of course, the kind of web application I am talking about is html+javascript BUT authentication and communication with the provider/web service happens entirely server-side. Credentials (client secret, keys, etc.) are all stored on (and never leave) the server.
According to the specs, authentication can happen with "username+password" (client password with HTTP Basic authentication scheme) or "other authorization methods".
I was not able to find any clue of what these "other authorization methods" may be.
Since we use private/public key pairs for OAuth1, can we use them for this task too?
The specs seem very liberal (and very vague!) on this point.
I would like something that is supported by the various libraries, so that a 3rd party client can implement it easily using standard libraries (like DotNetOpenAuth for example). If needed, it is reasonable to assume that some coding needs to be done for the custom method, as long as it can accommodate existing libraries (plugin?)
Is there anything "standard" or easily usable other than HTTP Basic, for OAuth 2 authentication?
If by web application you mean a JavaScript and HTML app that runs in the client browser and needs to make secure requests to your service, that is not a "confidential client". You cannot store secrets in a browser based app, as they will be visible to all.
If by web application you mean a server-side application that needs to make server to server requests, that is a "confidential client" because the executing code and secrets are not available to public scrutiny.
I interpret the "other authentication methods" to mean any authentication scheme that is customary over http (or https) that can be completed in one request. Client certificate authentication using TLS might also fall into this bucket. I think the main part of the OAuth2 4.4 Client Credentials Grant is that the client app presents credentials directly to the OAuth token service via existing authentication methods. The example uses HTTP Basic authentication, but that's just one example.
Client credentials grant differs from the resource owner credentials grant (4.3) primarily in that the resource owner grant presents the user credentials in the body of the http request instead of in the Authorization header. It would be difficult to use other authorization methods with resource owner grant.
The greatest caveat in using other authentication methods with the Client Credentials Grant is that support for anything other than HTTP Basic auth by OAuth2 client libraries will likely be spotty at best. Even if your use of digest or client cert auth with Client Credentials is within the OAuth2 spec, I'm doubtful that existing OAuth2 client libs will have built-in support for your particular permutation. See if you can find examples of client credentials grant using anything other than HTTP Basic auth by some of the big players such as Google or Yahoo. Things used there are more likely to be supported by OAuth client libs (especially the libs they ship!).
If you own both ends of the connection, this doesn't really matter. You can do whatever you want and find a client lib that will let you tweak or tailor the request to fit your needs.
If you want arbitrary clients to connect to your service using client credentials grant, you should plan on providing documentation and sample code of how clients should present the credentials you require. Off the shelf OAuth2 client libs probably won't provide automatic support for your scheme.