msal.js using Authorization Code Grant without secret - msal

the samples for msal.js are still using implicit Grant Flow which seems to be vulnerable and shouldn't be used anymore according to this document from IETF.
My question is: Is it possible to use the code Grant Flow using the msal.js, and if yes, does someone maybe have a sample of how to implement it?

Please check this code sample. It shows how to implement authorization code flow with SPA:
https://github.com/Azure-Samples/ms-identity-javascript-v2

Related

Quarkus Security : Impersonate User

I am currently using Quarkus in combination with "quarkus-security-jpa" to realize a form based authentication. No problems here so far. I now got another requirement to enable user impersonation in my app. For example the admin can impersonate the user A to get the same access rights and see the same data. In Spring I would use the SwitchUserFilter for this feature.
Now to my question. Does Quarkus has a similar function? And if yes how can I use it? Does anybody have an idea how to realize this feature in Quarkus?
Best regards and thanks in advance

Implicit Auth Grant

I am working on some project in spring boot in which Oauth 2.0 is implemented which have grant type as password. I want to change it to "implicit" auth grant. But I have read in one of the article that, it is not safe to use this strategy, as it use token along with URL.
So should I change it to "implicit" or look for any other grant type.
This is the link of above mentioned article.
https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926
You should not use implicit grant type as it is also not recommended by OAUTH.
Please refer draft link of security best practices provided by OAuth which shows problems with implicit.

Linking Auth0 and Parse Server users

I am writing an app that uses Parse Server, with Auth0 as the authentication provider. For unrelated reasons, we need to use Auth0 rather than Parse for user management.
I'm having trouble figuring out how to "link" a user authenticated via Auth0 to Objects in Parse Server. Without this, the authenticated user will not have permission to write to his/her Objects on the Parse Server. I believe my issue is similar to this question, which has no solution: here.
I have found many articles discussing the migration of users from Parse to Auth0, but am finding surprisingly little documentation on how to link those users to Parse. There is one article (I believe written by the same person who posted the question I linked to), but I couldn't get it to work, and it involves storing passwords in cleartext in Javascript.
I thought to create a default Parse user that would simply own all the objects in Parse. This would be invisible to the authenticated end-user so they wouldn't know, but that's just security by obscurity and doesn't seem like a good approach.
If anyone has suggestions on how to approach this, or has done it before, I'm interested to read your suggestions. Thank you very much.
Auth0 supports the most common and used authentication protocols (OAuth2/OIDC, SAML and WS-Federation) so configuring an application to rely on Auth0 is really easy when that application already talks one of the previously mentioned protocols.
According to the Parse Server Wiki, it does support custom authentication leveraging OAuth so that seems your best starting point for integrating Auth0 with a Parse Server based application.
It is possible to leverage the OAuth support with any 3rd party authentication that you bring in.
Disclaimer: I never used the Parse service or Parse Server so I'm assuming that when you mean linking Parse objects to users this can be accomplished by simply having an authenticated user in Parse and the identity of that user is just verified and proven by Auth0 instead of something like built-in username/passwords managed by Parse itself.

SAML 2.0 TO OAUTH

I am using an IDP which supports Oauth and SAML BOTH
USER ---->SP--Oauth-->IDP--Oauth-->google(oauth2)
above flow is working fine where i am logging in to system from google.
now what want to achieve is
User ------>SP----oauth--->IDP---SAML--->Another IDP
now my question is ...
Is that possible...? if yes please provide me some guide lines how to achieve that.
how can i achieve same thing IDP Initiated flow.
Thanks in advance
You can used other way around like below. It named SAML2Bearer assertion profile, You can found more details here[1].
User---->SP----SAML2Bearer--->IDP---Oauth--->Federated IDP
[1] http://xacmlinfo.org/2014/10/31/saml2-bearer-assertion-profile-for-oauth-2-0/

oAuth Access Token

Hallo i am new to oAuth and i created a rest connection to Magento with that example
http://devdocs.magento.com/guides/m1x/api/rest/introduction.html
the php script is working and i can connect to magento. But i have to enter the admin credentials and after that i have to click the Authorize button.
now my "magento rest project" is triggered by a database. so i was searching the last hours how do i get the accesstoken without really clicking on the button? is there something like that for cli or is it even possible?
thank you very much for helping me to understand it.
cheers pat
It would be possible if they supported the client credential grant, or kind of possible if they supported refresh tokens. Unfortunately, they don't support either.
For the authorization code grant that you are implementing, an authorization decision is made by asking the user if they are willing to allow your client to access their data (to protect the user's privacy). This is mentioned in the Magento docs as well.
The built in Magento REST Api functionality doesn't support grant types other than authorization code grant.
I managed to use a customized oAuth2 library (https://bshaffer.github.io) (customizing the class so that it's compatible with the Zend Framework that magento is based on). It will let you choose your own grant type (in your case, Client Credential Grant).
The downside is that I had to re-create all the REST API endpoints. The upside is that it's not that hard, at least not harder than creating a custom endpoint using Magento's built in REST API functionality.

Resources