We would like to choose ,which would be better for OAUTh/OIDC implementation to choose for the given below requirements
Our Solutions Channels include
Client App [ SPA's , Mobile App] - UI Login Wizard with Multifactor [Password , biometric]
Partner API integration[ SYStem]
We tried keycloak standalone, but it needs more customisation as per UI/Login wizard.
OUR UX for login has pre-Login contents , Multifactor authentication [ biometric's external] and doesnt come out of box in keycloak.
**Keycloak Standalone **
Heavy Customisation of Ui
Custom Flow Define and Custom authenticators has to be packed
Support for step up is to be custom built
If we go for bespoke development ,but which one is best springsecurity authorization server [ new one] or to MITRE
option 1 - SPring Security Auth server
how to implement Multifactor authentication of Authentication provider
Step -Up Authentication
option 2 MITRE OPEN ID COnnect
Mobile App- we would like to go for the password grant flow [eventhough it is going to be deprecated, as in react-native, we were unable to implement formiddable-react native library for the Biometric or complex login wizards.
To summarize
OIDC Implementation which supports easy UI Customisation, MFA for both Mobile and SPA is what needed.
Kindly advise
Related
I set up a Spring Boot project using https://start.spring.io including Spring Security and Vaadin. Then I set the Vaadin version to 22.0.4 and followed this tutorial to set up a login page using Vaadin Flow and Spring Security: https://vaadin.com/docs/v22/flow/tutorial/login-and-authentication
This works perfectly and checks login attempts against an InMemoryUserDetailsManager having a dummy user. As you can see in the tutorial, this is configured in the WebSecurity class, which extends VaadinWebSecurityConfigurerAdapter.
Now, I want to authenticate against Firebase users with email address and password instead. Therefore, I set up a Firebase project and added a user. I first thought, that the login can be done using the Firebase Admin SDK, but now I think this is not possible.
How can I authenticate Firebase users with email address and password in my Spring Boot application using Vaadin Flow as a frontend framework?
Firebase has two types of SDKs:
Its regular SDKs are designed to be used in client-side, untrusted environments, such as web front-ends, Android apps, or iOS apps.
Its Admin SDKs are designed to be used in (typically server-side), trusted environments, such as your development machine, a server that you control, or Cloud Functions/Cloud Run.
Only the regular, client-side SDKs have methods to sign the user in. For the Admin SDKs this is not needed, since they already run in a trusted environment and this establish their credentials in some other way (typically through a credentials file that you download from the Firebase/Cloud console).
So there's no way to sign in to Firebase on your server-side code. This also would not make a lot of sense, because a lot of users will likely be accessing the server at once, so who is the current user?
Instead, in Firebase you typically sign the use in client-side through one of the regular SDKs, and then (if needed) you pass the ID token to the server, where your code (through an Admin SDK if available) can decode that ID token and determine what user is making the request.
You can mint your own ID token in the Admin SDK, but the flow remains the same there and you typically use this to implement a custom sign-in provider.
I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.
I'd like to validate the following scenario:
ADFS (win2016) is acting as an Identity Provider in a setup where
a single mobile app is consuming 2 api's
api.contoso.be
otherresource.contoso.be
These three applications are grouped together in a ADFS Application Group:
mobile app as a "Native application"
api.contoso.be and otherresource.contoso.be as "Web API" applications
The mobile app gets an access token when authenticating succesfully against ADFS.
The access token is provided with een aud-claim for "api.contoso.be".
Problem: I'm currently unable to reuse that same access token to access the second api "otherresource.contoso.be".
Question: at this point I'm not 100% sure that ADFS ApplicationGroups are meant to support such a scenario.
If so, I'm probably overlooking something in the ADFS-configuration.
If not, what's a better ADFS setup to support this scenario?
I want to integrate Keycloak authentication into a Play2 project. Here is what I did until this point:
I downloaded Keycloak: keycloak-1.6.1.Final.zip, unpacked, run it and set up by creating a test realm and some roles
I downloaded, configured and run the example js-console (https://github.com/keycloak/keycloak/tree/master/examples/js-console)
I was able to create a user and to log in with the js-console. The user show up in the keycloak admin as expected
Now I would like to protect my backend also, which is a Play2 project with maven build (using the play2-maven-plugin: https://code.google.com/p/play2-maven-plugin/)
The backend publishes a REST API, and these calls need to be available only for authenticated users posessing several roles.
Until this point I was unable to find a solution to do this. I came across Deadbolt, which can declaratively express the restrictions that need to be applied to the users and the roles, but I was unable to find an adapter for keycloak to use with Play2.
Is there anybody who did something similar? I guess a solution would be to create a custom adapter, by configuring and then calling the core Keycloak methods.
Does anybody have some thoughts on creating this "Keycloak Standalone Adapter"?
These 2 Blog Entries helped me:
User Authentication with Keycloak
KeyCloak with akka-http
https://blog.scalac.io/user-authentication-with-keycloak-part1.html
https://blog.scalac.io/user-authentication-with-keycloak-part2.html
Build and Secure APIs with Scala and the Play Framework
Auth0 with play framework
https://auth0.com/blog/build-and-secure-a-scala-play-framework-api/
It depends on which authentication mechanism you want to use (openid-connect or SAML). For the application I was working on we chose openid-connect. At the moment, the only play2 library which supported the protocol was https://github.com/pac4j/play-pac4j. The tricky part was figuring out the way keycloak was encoding the information in the token it sent back to the play server. It does it by doing Base64 encoding. We translated the algorithm from the keycloak-js-adapter to extract the user information.
After that, we can use Security trait or create a custom request wrapper which will contain the authorized user information.
I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.