oAuth ver 2 introduces additional flows to the specification, and user experience of trusted projects could be improved a lot. For example: by using on-page username/password submission. This also increases the conversions by having username/password form in your checkout form. This is introduced in version 2.
Hence the question:
Can oAuth 2.0 server completely replace oAuth 1.0 server?
Yes. Google is even using OAuth 2 exclusively for several of their APIs.
Related
I'm a asp.net web developer, I have a new system to build, the system is connected with api contains the user, password, and Permissions
I want help me with the concept to build system, with login from api, usually I used a membership or identity to build uses, password and permissions.
so how can i deal with user not exist in tables at my database.
I can't write a comment, but I think you need to know how to deal and use OAuth 2.0 for authentication which usually we use it when we want to get personal data from third party, here is some links, I wish these links help you.
Intro to OAuth 2.0
Tutorialspoint OAuth 2.0
Authentication
He guys,
I have designed a 'Pragmatic RESTful' API. Not to Fieldings spec - but aligned to this http://www.restapitutorial.com/ - please leave the what is / isn't a RESTful API debate aside for now...
What I want to know is how to best secure my API. I see that Oauth1.0a is common, but I also see that it is deprecated. What is it that I should be using now? Oauth2.0? Or should I ignore the deprecation and go ahead with Oauth1.0a?
Also, if I am to use either Oauth 1.0 or 2.0, what flow should I be researching for an API?
Cheers,
Oauth 2.0 specification allows you to tailor the security to your needs. You will have to find out what works best for you and your situation if you were to use OAuth 2.0.
Although Hans says that Oauth 2.0 is safest, you must realize that many think most implementations of it are insecure (not because the specification is bad, but because it's so open and loose that people don't properly secure all areas like they should). Oauth 2.0 is more "loose" in the way it approaches the subject. If you look closely, the RFC spec for Oauth 2.0 calls it a "framework" while it calls Oauth 1.0a a "protocol". For that and some other reasons, companies like twitter have stuck with Oauth 1.0a. Although OAuth 2.0 is new, you will have to bring in other specifications, like JWT to secure it properly.
If I wanted to be sure that my API application was secure, I would definitely stick with Oauth 1.0a (tried and tested) unless you absolutely need some feature of Oauth 2.0 for now.
With Oauth1.0a there is really only one way to do things so your question as to "what flow" you should use is pretty much answered there.
OAuth 2.0 is the successor of OAuth 1.0a and many APIs have started to support it in favor of Auth 1.0a. Also, new developments - such as features that are comparable to the signed requests in OAuth 1.0a, called proof-of-possession tokens - are happening currently in OAuth 2.0 and no development is done on OAuth 1.0. So OAuth 2.0 is your safest bet for the future.
I have 2 websites on the same server: one is made by joomla 3.0 (php), the other by spring framework 3.2 (java).
I would like to have a SSO with minimum code: people can sign-in from one website and they don't need to sign-in for the other.
I thought to openid. But I don't want everybody having an openid to sign-in, so I have to provide my own openid server. Is it a good solution? Is there any better alternative?
I resolve the problem by using cookies: both websites are in the same domain. So I coded an external authentication plug-in for Joomla 3.0.
Hello I come back after more than 4 years.
In my new architecture, I use JWT now.
So instead of having juste a simple cookie, you can share jwt pass_phrase between servers and store generated jwt in a cookie or in a local_storage.
It's more secure and not dependant of OS/framework/language.
The problem is I have an standard SAML 2.0 Web-Profile IDP (a customized Shibboleth) that I can authenticate to Google Apps, nicely, but Microsoft decided to embrace-and-extend again, with WIF, so it seems things doesn't work off-the-shelf to have web SSO (SingleSignOn) with Sharepoint.
At least all the documentation show only how to integrate with AD FS STSs, or how to write your own STS as the protocols around claims exchange aren't standard.
From the overviews it seems feasible to have my IDP being called (redirected to) and returning the SAML response as a forced post, as usual, but it seems hard to tell WIF to just process the simple response we serve.
Thanks,
ADFS v2.0 does support SAML 2.0.
If the SP STS doesn't support this, then simply add ADFS as a trusted provider to the SP STS.
I believe that ADFS 2010 only supports WS-Federation Passive Requester Profile -- ie, no SAML 2.0 Web SSO support.
SAML 2.0 Web Profile support is possible I believe but you'll need to use a 3rd Party product like PingFederate for SAML 2.0 support unless you want to write quite a bit of custom code.
Hope this helps -
Ian
I have been investigating OAuth to share resources in my site to other sites.
But, hole of OAuth specification was reported several days ago.
http://oauth.net/advisories/2009-1
Many sites decided to stop OAuth until fixed version is released.
Currently, can we have any alternative to OAuth?
I want an open-standard and secure authorization protocol.
OAuth was built because there weren't any existing standards that solved the same problem. A fixed OAuth spec is forthcoming soon. It will be a pretty small change to the existing protocol.
In the short term, your best bet is to fall back on basic authentication mechanisms (requiring users to enter their credentials into your site for the foreign site).
Like Jonathan said, the hole will be fixed soon in the spec.
Oz is a web authorization protocol based on industry best practices. Oz combines the Hawk authentication protocol with the Iron encryption protocol to provide a simple to use and secure solution for granting and authenticating third-party access to an API on behalf of a user or an application.
OZ github link
Oz builds on the well-understood concepts behind the OAuth protocol. While the terminology has been updated to reflect the common terms used today when building applications with third-party access, the overall architecture is the same.
There was a revised version of the OAuth 1.0 spec, but since this question was asked OAuth version 2.0 is getting stable, and would often be the reccomended protocol.
OAuth version 2.O is a bit complex protocol compared to its predecessor, but more secure. It is specially tailored to address the security concerns of enterprises. Currently Facebook and Google authentication flows are based on OAuth 2.0
Oauth has come up with new OAuth 2.0 standard which is much more secure than OAuth 1.0 and 1.0a.It scaps access token and access secret and introduced access token and refresh token.Access token in Oauth 2.0 is validate for certain timeframe,after that it is regenrated or refreshed using refresh token.