I want my Nancy site to accept Google/Facebook/OpenID authentication.
Are there any existing solutions for this?
There are work in progress by myself and members of our community. I am working on implementing the OAuth 2.x specification and then we're ironing out the implementations for Facebook/Twitter (not sure if anyone looked at Google) authentication.
Related
I have 2 websites on the same server: one is made by joomla 3.0 (php), the other by spring framework 3.2 (java).
I would like to have a SSO with minimum code: people can sign-in from one website and they don't need to sign-in for the other.
I thought to openid. But I don't want everybody having an openid to sign-in, so I have to provide my own openid server. Is it a good solution? Is there any better alternative?
I resolve the problem by using cookies: both websites are in the same domain. So I coded an external authentication plug-in for Joomla 3.0.
Hello I come back after more than 4 years.
In my new architecture, I use JWT now.
So instead of having juste a simple cookie, you can share jwt pass_phrase between servers and store generated jwt in a cookie or in a local_storage.
It's more secure and not dependant of OS/framework/language.
I want to use google/yahoo ids to be used to login to my website.
As its done in stackoverflow.
Can any one provide me a starting point.
That authentication method is called OpenID. You can get details at the open id website.
If your webiste uses PHP on the server, here's a resource to get you started with OpenID and PHP
UPDATE
Since I've posted this, the world of open federated authentication has evolved quite a bit. If you're interested in this you may wish to look up OAuth v2 online, or check out these links: www.oauth.net and the Google resources on OAuth2 available here.
OAuth builds upon the concepts of OpenID and it expands the functionality quite a bit, in particular in the areas of not just providing authentication but also providing authorization for applications using a centralized provider of the user's choice (i.e. Google, Facebook, Twitter or your own :) )
I have been using JanRain for the same thing. It is free and integrates with loads of different login providers, such as, Facebook, Twitter, Google, OpenId (generally), yahoo, msn, and many more.
There is code that lets you integrate it with almost any programming language/platform you want.
try this sample in CodeProject.
http://www.codeproject.com/KB/web-security/OpenIdFormsAuth.aspx
It worked fine with me.
The quick login/no registration of stackoverflow is one of its finest features. I'm just curious if there's an off-the-shelf solution for providing this service.
Has anybody seen anything?
It's called OpenID. Anybody can define an OpenID, and anybody can use any OpenID for authentication. Visit http://openid.net/ for details.
I consider to use OAuth for Single Sign-On (SSO) with RESTful services. At first sight to use OAuth as the de facto standard looked naturally to me. But I must confess that I don't understand how to use it for SSO. During studying OAuth I discovered more and more criticism of Authorization - so much that I tend to think OAuth has failed.
OAuth is hard to implement.
Usability is poor.
Why Facebook doesn't implement OAuth today:
"OAuth is more complex and less performant than our own native authentication mechanism"
"OAuth WRAP looks like it will solve most or all of these problems"
Bad performance because of two many requests and long URIs
"Library quality is overall pretty poor"
Possibly WRAP, powered by Microsoft, Yahoo and Google, is going to replace OAuth.
What's going on with OAuth (and WRAP)?
So has OAuth failed? What are the alternatives for SSO - preferably those with wide acceptance or the perspective to become widely used? Would you prefer WRAP?
OAuth isn't a SSO solution, it's a protocol commonly used for delegated API authorization. 3 legged OAuth allows a client requesting access to a protected resource to delegate authorization to the server hosting that resource. Basically, the user doesn't have to give their credentials to a 3rd party (the client), only to the server hosting the protected resource. OpenID may be a more appropriate solution if you are looking to implement single sign-on. You can also use OpenID OAuth extension which will allow you to combine authentication with authorization via OAuth.
Work is currently being done on OAuth 2.0. WRAP was developed as a stop-gap solution to address some use cases not covered by the original OAuth 1.0a spec. WRAP will not replace OAuth, rather ideas from WRAP will make their way into OAuth 2.0 where appropriate. A number of the original authors of OAuth, as well as one of the authors of WRAP have written about this here:
What's going on with OAuth?
So no, OAuth hasn't failed, in fact it's enjoyed pretty wide adoption. OAuth 1.0 will continue to be implemented by a large number of providers and eventually OAuth 2.0 will be available as well. WRAP is there for people who want to take advantage of the use cases it addresses now.
With regard to the difficulty of implementing OAuth as a client, why not try it out? The available libraries are of varying quality, but with a decent one you can usually implement an OAuth client in under a day.
I have been investigating OAuth to share resources in my site to other sites.
But, hole of OAuth specification was reported several days ago.
http://oauth.net/advisories/2009-1
Many sites decided to stop OAuth until fixed version is released.
Currently, can we have any alternative to OAuth?
I want an open-standard and secure authorization protocol.
OAuth was built because there weren't any existing standards that solved the same problem. A fixed OAuth spec is forthcoming soon. It will be a pretty small change to the existing protocol.
In the short term, your best bet is to fall back on basic authentication mechanisms (requiring users to enter their credentials into your site for the foreign site).
Like Jonathan said, the hole will be fixed soon in the spec.
Oz is a web authorization protocol based on industry best practices. Oz combines the Hawk authentication protocol with the Iron encryption protocol to provide a simple to use and secure solution for granting and authenticating third-party access to an API on behalf of a user or an application.
OZ github link
Oz builds on the well-understood concepts behind the OAuth protocol. While the terminology has been updated to reflect the common terms used today when building applications with third-party access, the overall architecture is the same.
There was a revised version of the OAuth 1.0 spec, but since this question was asked OAuth version 2.0 is getting stable, and would often be the reccomended protocol.
OAuth version 2.O is a bit complex protocol compared to its predecessor, but more secure. It is specially tailored to address the security concerns of enterprises. Currently Facebook and Google authentication flows are based on OAuth 2.0
Oauth has come up with new OAuth 2.0 standard which is much more secure than OAuth 1.0 and 1.0a.It scaps access token and access secret and introduced access token and refresh token.Access token in Oauth 2.0 is validate for certain timeframe,after that it is regenrated or refreshed using refresh token.