OpenID on Community Server - ssl

Okay, I've asked on the Community Server Forums and was totally ignored. So I'll ask here. The OpenID provider (presumably janrain) for CommunityServer does not work with an SSL OpenID endpoint. I really don't know of a non SSL OpenID endpoint and even if I did...I'm not sure if I'd want to use it.
I have a community server installation and all of my users are complaining that the signup/login form appears to support openid but doesn't in reality. has anyone encountered this issue and addressed it?
Thanks in advance.

CS currently uses an old version of Janrain's C# library. I think the next version is expected to use dotnetopenid. But even in its current release I would expect it to work just fine with SSL OP endpoints. If it didn't, then no OpenIDs from myopenid.com would work for logging into CS and I would expect the CS guys would have noticed that.
However, if specific endpoints are broken, it may be a sign of another problem. If you can give specific OpenID endpoints that are not working then please send an email to dotnetopenid#googlegroups.com and I'll be happy to investigate it further.
There's a test OP Endpoint that is non-SSL that you can try out to see if it works by logging into your CS with this: http://nerdbank.org/opaffirmative/affirmativeidentity.aspx (yes, that's actually a valid OpenID you can log in with without using a password).

Related

Keycloak, PKCE and external IDP

I have a requirement where I need to federate to an IDP. I have never had issues in the past and in this instance, I have an issue because the third party/external IDP has PKCE enabled and enforced.
Is there a way to federate to an IDP which has PKCE enabled. Basically in other words, I should be able to forward/send code_challenge and code_challenge_method to the external IDP. I can enable PKCE on my IDP without any issues and forward the same headers to the external IDP if required but I dont see a way to do it. I tried to configure "Forwarded Query Parameters" field on the Identity Provder Configuration as well but to no avail.
However I came across this ticket https://issues.redhat.com/browse/KEYCLOAK-9809 where is it said that this is not supported since its only supported for public clients - so is it still the case?
In addition to this, if this is not supported, what is the recommended way to get around this? I mean I could ask the external IDP folks to change their configurations but I'd like to know the recommended way before proposing a way out.
Thanks a lot.
The issue is apparently resolved on ticket - https://github.com/keycloak/keycloak/pull/7381
According to this ticket - the issue is resolved in version 13.0.0. Unfortunately, I have moved away from this project - so if someone can confirm that this works with 13.0.0 - I can mark this as the answer and close off the post.

SSO for web application hosted on S3

I have been scratching my head for a while now. Went through tons of documentations but everything seems very confusing. Please forgive if it appears to be a duplicate question, but believe me, the more content I find, the more its confusing me.
Below is the configuration of my project and what I need to achieve:
The project is a web based application developed using Spring framework with Java 8 that is hosted on S3(linux server). HTTP server used is Apache. JBoss is used as an application server and the exact version used is wildfly-8.2.0.Final.
Currently, the user enters his credentials which are validated against Microsoft Active directory using LDAP and is let in. The requirement now is that when the user logs into the machine using his AD credentials in his intranet environment, and he tries to open the application, he should directly log in and not prompted for credentials again. If he is outside his intranet network, the existing log in method should be followed.
While researching I found the below things I assume can be useful but not able to reach to a conclusion.
Kerberos along with Shibolleth: I went through below two references which somewhat matched with my requirement but not very sure am I looking at the right thing or not.
http://richardjohnson798.blogspot.in/2011/10/single-sign-on.html
http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf
My confusion revolves around the below things.
Is Shibolleth the right choice. If yes, what is the exact role of Shibboleth?
What things needs to be setup on the linux server(Kerberos implementation for example), and what changes would be needed in the client's AD environment?
Is the implementation possible on the Wildfly server? (as all the references have the thing implemented using Tomcat).
What are the security aspects I should be concerned about.
Help is much appreciated. Thank you.
Since you are using S3 I assume you are using AWS.
Go to IAM and add the Active Directory as a SAML provider
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Then use AWS Cognito Federated Identity Pool via the JavaScript SDK in the front end code you have hosted on S3.
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

hide smtp credentials from developers

We are bringing on a new temporary developer to help out with a project and I've been asked about installing libraries to store the SMTP login credentials to our dontreply#xyz.com email so that the developer can set up web forms without access to the credentials as this would require us to change the credentials for all out forms after the developer finishes her contract.
I've searched and found nothing, the closest thing was someone stating that you should create a company account instead of using personal account on this post: PHPMailer Hide SMTP Authentication?
can anyone help with me with this or point me in the right direction at least?
Thanks
Like that question says, there's not much you can do to prevent the dev getting hold of the credentials. Even OAuth won't help. This isn't a PHPMailer question, or even a PHP question really - it's about configuration management, and the same problems occur in pretty much all languages.
It may be solveable at a different level though - One option might be to wall off direct access using a mail proxy / relay. Configure a nearby/local mail server that you can submit to freely, and have that deal with real outbound, including relaying through your mail account. That way the developer can send through your chosen server without needing any direct access at all. It might make their life a little more difficult, but it solves your main problem.

SSO and ServletRequest.login() and ServletRequest.logout() not working in Glassfish 3.1

// I'll try to improve the question a bit to see if I can get help.
We have a set of applications in our glassfish server, and we'd like to use SSO across them. So, we came up with a "authentication" web application, which simply contains the form to authenticate users. This user is then routed by this application to the whichever application he wants to acess.
The problem is that, when using the FORM authentication method and the programmatic login through ServletRequest.login(), the SSO cookie is not created. Only through BASIC authentication or through j_security_check we are able to see the SSO session cookie being created.
Similarly, the ServletRequest.logout() method is also unable to log the user off the SSO session, leading to nasty security bugs.
I'd like to know whether the approach using programmatic login/logout and SSO does not work at all (and thus, we're doing it wrong); or, if we're missing something altogether about SSO and security in Glassfish.
Guess I've found the reason: http://java.net/jira/browse/GLASSFISH-18356
The bug is open, likely to make it into the new version... but voting it up would help make it happen. If you came across this question with the same problem, please help voting for it!

How to approach multi-site authentication

We have SaaS product that is branded for each of our clients along with their own domain. We're in the design phase of building an api that would allow third-parties to create widgets or completely different websites for our clients. One of the first and hardest challenges is getting authentication right.
I'm not fully versed in how the Stack Exchange sites handle it but at first glance it seems like a similar scenario. Each site has their own accounts and authentication yet somehow they're linked together. When I log in to stackoverflow.com and then visit serverfault.com it automatically logs me in. Does anyone have any specifics on how they've implemented this?
A couple of things we're considering:
Do we make each account a "Stack Exchange" level account and then authorize each tenant and each application?
Do we let each tenant be there own oauth provider and then just have the user authorize each application?
How could we handle auto-login like stack exchange does?
Again, we're still early in the process and want to get it right out of the gates. Any suggestions and best practices would be appreciated.
Though your question is quite old, it is still without an answer.
Here's information on how StackExchange multi-site authentication works (technical mostly):
https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work
And here'is a blog post announcing it:
https://blog.stackoverflow.com/2010/09/global-network-auto-login/
Wish you find your answers. If you have already resolved your issue, please share your approach with us.