I am working on OneLogin SAML, I am getting an encrypted response from onelogin, I am able to decrypt it from https://www.samltool.com/attributes.php, I am getting proper data in an array, but how to do that programmatically ? can anyone please help me how to do that?
You can refer the OneLogin’s SAML PHP Toolkit , Or you can use Laravel-onelogin package for allowing onelogin to provide authentication and users to your application.
If you are looking specifically for decryption. The below link has all encryption and decryption methods
https://github.com/onelogin/php-saml/blob/master/extlib/xmlseclibs/xmlseclibs.php
Related
I'm trying to implement Spring OAuth2 in my Spring REST application. What I have already achieved:
Generate a token while logging in.
Store this token on the client side, use it for every request I do from UI.
What I want to achieve:
1. Encrypt the token stored on the client side & send this encrypted token instead of sending the actual token.
Are there any services available in the Spring OAuth2 project to achieve this?
Any ideas/suggestions?
Thanks
As I know oauth2 servers and clients usually run in SSH channels, if you use SSH there is no need to encrypt theme.
Secondly access_token is stored in a cookie on client side. if you want to encrypt it you must consider which your oauth2 server should be able to decrypt it too!
Thirdly your scenario is already have been implemented by JWT!
take a look at :
https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2
I know this question asked many times but I did not get answer that I required.
I want link that can help me to create a spring security framework, In which I donot whant login form validation.
It should be done by login RestAPI. I just hit url like-
http://localhost:8080/login
post request containing username and password and it return json response with sucess or failure status
if sucess I would be able to hit secure API Requests.
I am using spring and spring security since 1 and half year with spring security to develop rest API I use below technique for user authentication
Follow below steps
Allow to access http:// localhost:8080/login for all user
User will pass username and password in body
Authenticate user with database entry
create access token and send back to response
using this access token user with interact with secure API.
I will provide source code if you need.
I suggest you to try with Basic Authentication. I believe Rest services are mutual contract between the consumer and provider, so re design your service to access the basic auth header. Your client need to pass the base64 encoded value of username:password, Your service should get the header value and decode you will get the original data back, Check against your backend storage (Ldap or DB).
More about basic authentication . BasicAuthentication
I’m trying to get my head around how I would introduce token-based (key-based?) authentication to a web API (currently looking at Sinatra, but maybe Rails too) that would be used by a mobile client and how OAuth would fit into the picture.
So, let’s say I want to create a web service that uses Facebook for authentication and grabbing basic user data. Here, my API would be a client to Facebook’s OAuth Server, requesting an access token upon a user’s successful login to Facebook. This would then grant me access to the user’s data which I would use to create an entry in my database, storing this user-specific token with any other application information I would like linked to them.
I think I got that part right so far, but here’s where I’m a bit confused.
I think that my API would also need some form of API key to grant access to a mobile user, since I wouldn’t want to transmit and store the Facebook key on their device. Would I have to have a separate store of keys which I provide to the client to access my service? Are there any ‘best practice’ ways of doing this?
Would I have to have a separate store of keys which I provide to the client to access my service?
yes.
Are there any ‘best practice’ ways of doing this?
The simplest way would be to generate a separate authentication token on every User creation and expose that to the mobile client. Then send it with every subsequent request header.
Devise provides a simple example how to achieve that. You don't need devise for that, just provide some token generation mechanism.
#Devise.friendly_token
def self.friendly_token
SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
end
This mechanism can be extended to provide more security in following ways
Being an oauth2 provider itself.
On successfull login with facebook, you would generate an :authorization_code which the client can exchange for your own Oauth2 Bearer or MAC token within a next step. Then you can send your own Oauth2 token with every request for user authentication.
See rack-oauth2
Implement HMAC token encryption.
Generate and expose a secret_key to every client after singning in. Use this secret to sign messages along with a unique client id. The server can then lookup the secret_key for the specific client_id and verify the message.
See api-auth
Does anyone know how to verify the signature part of a decrypted LTPA token?
I have the keys exported from my WPE8 server, and properly decoded the LTPA token so I see the user data, expiration and signature.
Unfortunately the LTPA token format is an IBM standard. As you probably have noticed there are a few examples on how to decrypt the token (but none of the ones I've seen include verifying the signature) but even that is not very safe as it is an IBM standard and they have not yet published any public APIs to use the LTPA at all.
I did a lot of work trying to achieve SSO between the WP server we had and other non-WebSphere servers and we found that the easiest was to create our own token in Login Filters.
We want Socialite (web-application name) user data to upload on IBM-Connections per user active stream.
It requires proper OAuth mechanism. To achieve this, we are working on OAuth to get OAuth Token and OAuth Secrete per IBM Connections user wise.
We created the AppID, Appkey and AppSecrete with the help of commands mention in IBM documents. http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.0+documentation#action=openDocument&res_title=Registering_an_OAuth_client_with_a_provider_ic40&content=pdcontent
Now we need requestTokenURL, authorizationURL, accessTokenURL to get the access token and access secret per IBM Connection user wise.
Please advise me.
The authorization URL should be
https://:/oauth2/endpoint/connectionsProvider/authorize
The access token URL should be
https://:/oauth2/endpoint/connectionsProvider/token
oAuth2.0 does't have the requestToken anymore. There are only to token uri's
for our test connections environment the endpoint are
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/authorize
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/token
More details you can find here, it's about smartcloud but you can find some good information
http://www-10.lotus.com/ldd/appdevwiki.nsf/xpViewTags.xsp?categoryFilter=OAuth%202.0