There is need to send from my SP to IdP SAML AthnRequest over HTTP-POST and HTTP-Redirect is not allowed.
Good package is aacotroneo/laravel-saml2 but it does not support HTTP-POST.
simplesamlphp/simplesamlphp is popular but it is a mess to use.
What library to use for proper SAML integration in Laravel that supports HTTP-POST requests to IdP?
With some effort you should be able to modify https://github.com/aacotroneo/laravel-saml2 to send AuthNRequest using HTTP-POST.
Instead use directly the login method of php-saml that you can find here
https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L428
you can execute the code described there and do a POST instead of a GET, if you need to support signature, you will need to embed it.
The alternatives is https://github.com/KnightSwarm/laravel-saml
https://packalyst.com/packages/package/aherstein/laravel-saml2-post is the library that has been forked from aacotroneo/laravel-saml2 and modified to send POST requests.
Related
How does one add or implement NTLMv1 Authentication in Quarkus? I need it so that I can use the quarkus rest client to read and write to Sharepoint folders using their Rest APIs.
See https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service?tabs=csom
Basically need to be able to authenticate and get the form digest value which expires every x seconds. After which I can include that in the header of the requests.
I don't think there is an out of the box solution.
If I understand the problem correctly, the easiest way to implement this is probably either using #ClientHeaderParam or ClientRequestFilter, that you register on your client with #Register(MyFilter.class).
Either way, you need to write some code to obtain the token and refresh it when it expires yourself.
I'm developing backend for oauth2 client. I'm using authorization_grant flow with PKCE extension. I'm trying to implement it in such way that code verifier and code challenge is generated on clients side. So i have to add additional parameters to my token request (the second request, when input is authorization code and my application exchange it for access token).
My app will have to take this code_verifier from request param and pass it to authorization server with authorization code, client id, and client secret.
So now I'm struggling with customizing spring-security-oauth2-client to add additional parameter. There is way to add such parameters to authorization request by implementing OAuth2AuthorizationRequestResolver, but is there analogical way for adding parameters to token request?
Or maybe should i implement this endpoint manually?
I feel your pain, since Spring OAuth Security is often poorly documented for common use cases. One option you might consider is to provide a custom Spring filter that uses the open source nimbusds libraries, which have very good documentation and are easy to use.
I've seen a lot of posts recommending using Xamarin.Auth for SSO in Xamarin, but having reviewed a tutorial as well as the GitHub Getting Started wiki (in which says it supports "Authorization Code Flow", but seems to require a secret key from the client to get the auth code, which is not what I'm looking for) and searched the web fruitlessly for "Xamarin.Auth implicit flow", and "Xamarin.Auth authorization code flow", it appears to me that Xamarin Auth supports only Implicit flow, which is less secure than an Authorization Code flow for a native app that is connected to a backend web server application as mine is. Am I correct in understanding that Xamarin.Auth can only support an implicit flow (requiring that the access token be sent to the client, and a client_secret can't be retained server-side and sent server-side as part of the retrieval of the access token), and not an authorization code flow (in which the client would receive only an authorization code, which it would then send to the server, which then would retrieve the access token using a client-secret and possibly a PKCE exchange)?
Furthermore, even flows with other libraries I've seen recommended seem to retrieve the access token to the client - AppAuth supports PKCE, which is a security improvement vs no PKCE, but the posts I see showing examples of it here and here and here still all retrieve the access token on the client. Auth0 is also recommended in some posts I've seen (e.g. here), but the example I see for that here also retrieves the access token on the client.
Is there a reason why sites are not doing this? Is there a sample or API documentation anyone can point me to for a library that does support retrieving only an authorization code client-side in a Xamarin application? (and then separately, server-side, using that to retrieve the access token using a client-secret, not necessarily with the same security library since that would not need to be Xamarin code - this server-side part I feel confident is a pretty standard thing - e.g. as outlined for Auth0 here)?
Xamarin.Auth do support Authorization Code Flow. As you find in the tutorial, Xamarin.Auth's OAuth2Authenticator class has a parameters called 'Client Secret', together with other provided parameters, Xamarin.Auth is capable of handling the Authorization Code exchange part and return the access token directly back to you, it looks like this part didn't happen, but actually it did.
Digging into OAuth2Authenticator source code, method VerifyOAuth2FlowResponseType shows Xamarin.Auth provides both Authorization Code Flow and implicit flow. For more detailed information, you may read the code together with The OAuth 2.0 Authorization Framework
And here is an example for Authorization Code Flow from client side.
I am making a VueJS app with a Laravel backend. I see Laravel has Passport which is used to authenticate/authorize APIs. (Sincerely I have not yet succeeded in integrating Passport. I have not understood where the starting point is. Will post that question separately).
I have done a lot of searching and still have not found the best/easiest way of doing authentication and authorization, and also interface control depending on permission. (I know "best" is subjective but basically means a method that is easy to integrate, understand and use).
Anyone who has been there and used one that worked really well?
I generally use JSON Web Tokens for my web and mobile apps. It's simpler to set up than Oauth and is a better fit for many applications.
Basically, the user sends a POST request containing their authentication details to the appropriate endpoint and receives a token in response. The user can then include that token in the Authorization header of future requests to authenticate them.
The token also includes a timestamp for when it expires, and it can be decoded on the client side so that an application can refresh the token before it expires.
There's an excellent implementation of JWT for Laravel which I use all the time and can highly recommend. There are also client-side libraries for handling JWT with pretty much every framework under the sun.
#MatthewDaly, I followed your recommendation and I stumbled on a VueJs-Laravel JWT implementation here: http://jimfrenette.com/2016/11/laravel-vuejs2-jwt-auth/
I followed through the Tutorial and was able to make it work for my case. (Caveat: The post is slightly old (using Laravel 5.2), but with good understanding of Vue and Laravel, you can be able to follow and implement it easily).
I want to set the Authorization header in my websocket request to send a token.
I have found no native ways to do so (I settled for passing a token in the query parameters). I see that socket.io provides this functionality (altough I have not tryed it) and I'm wondering how it works under the hood
As a work around I use express-session, with express-socket.io-session (https://www.npmjs.com/package/express-socket.io-session)
This way I found it is easy to set an identifier when a user logs in.
p.s. all the methods in express-session docs, are available to you in express-socket.io-session.