I'm new to spring boot and I want to integrate openId provider into our application. I have searched a lot about it but didn't find any suitable article from which I can start.
Problem statement:
Once user hits our websites url(ex. www.abc.com) the user should be redirected to openID provider's(login page) server where the user puts username and password or register him/herself.
After successful authentication, user then given the access to our application where in application needs to retrieve few informations about user (basically data exchange between openID provider and application).
how exchange key to generate a shared secret-key?
I have end point of openId provider and service discovery endpoint.
Would someone help me out with this?
Related
I'm working on a web application that uses OpenId authentication. Let's assume that the application essentially serves to store metadata and its associated files (docx, pdf). The Web Application is for internal use and is not exposed to public network, only users of the organization have access.
Recently, a requirement has arisen to be able to share files with users external to the organization. External users will use a PORTAL (third-party application) which, through a URL generated by the Web Application that points to the PORTAL, will have access to the file. This PORTAL uses OpenId authentication and invokes a Web Application API to retrieve the file.
Initially, the proposed solution was:
Web Application - Send EMAIL to the external user and create a user in Keycloak with Email to authenticate later on the PORTAL (Is this really necessary?! Biggest doubt).
The external user accesses the PORTAL with the URL received and authenticates with the user created by the Web Application on Keycloak.
Once authenticated on PORTAL, a WebApplication API is invoked to obtain the file.
The main question is whether the Web Application should manage the creation/editing/deleting of external users on Keycloak. Does the Web Application need to create users in Keycloak? Is there another way to accomplish this without compromising security?
Thanks in advance.
To share a file with restricted access, there are two approaches:
Open access with signed links: Create a signed URL using a web API and share it with external users. The link can be a static URL with an encrypted key, or a JWT signed token in base64 form generated by the web API. When the portal receives a request, it checks the validity of the token, retrieves the file location from the token, and allows access.
Email-restricted access: If you want to guarantee access only to the person with email xxx#abc.com, you'll need to use a challenge, which is typically a login. You can either create users on the fly after login (if the external users come from a partner with OIDC capability), or pre-create the users if this is not the case.
Note: You cannot rely solely on a URL with an email claim as proof of access, as the link may have been forwarded to someone else.
I am creating a web application with Spring Boot and JSF and my intention is to create courses in google classroom from my application.
I followed the example of Google to authenticate myself by Oauth: https://url.miapp.io/oS2mx
Implement that ClassroomQuickstart class from the example, but when you use the method getService() in my web application, it sends me in the Tomcat Embeded Console (Spring Boot) a Google URL for authenticate by myself from a browser and I can continue with the flow of my code.
In other words, authentication works in interactive mode waiting for me to authenticate from the browser so the application can continue the execution flow, I don't know what I should do so that I don't have to authenticate myself in this way, I don't know if it's the code that implements it as it is or has to do with the configuration in the google developer console.
3-legged OAuth:
You are currently following a 3-legged OAuth process, in which there are three parties involved: (#1) end-user, (#2) application and (#3) authorization server. In this OAuth flow, users need to give explicit consent to the application through the browser via a consent screen.
2-legged OAuth:
Since you want to avoid that, you should use a service account to access this application, so that users are not directly involved and user consent is not required. This workflow is usually called 2-legged OAuth (only the application and the authorization server are involved). See Using OAuth 2.0 for Server to Server Applications for a more in-depth explanation.
Since you don't want the service account to run the application by itself, but to act on behalf of other accounts in the domain, you should grant it domain-wide authority so that it can impersonate other accounts in the domain.
Workflow:
To achieve this, you have to follow these steps:
Create a service account by following this guide.
Delegate domain-wide authority to the service account (you have to be a domain administrator to do this): this step authorizes the service account to access data on behalf of any user in the domain. Follow the steps indicated here.
Once you have delegated domain-wide authority, you have to modify the code related to the building of the OAuth credentials. Use, for example, the code sample provided in this answer:
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("service-account#email-address") // Service account email
.setServiceAccountPrivateKeyFromP12File(new File("your-credentials.p12"))
.setServiceAccountScopes(Collections.singleton(ClassroomScopes.CLASSROOM_COURSES))
.setServiceAccountUser("user#email-address") // Your email address (address of the user you want to impersonate)
.build();
In this case, user#email-address refers to the account on behalf of which the course should be created. In order words, it will be the account that the service account should impersonate. Regarding theP12 file, it should be downloaded from the Cloud Console, as explained here. This can be done with a JSON file instead of P12 (see here).
Reference:
Using OAuth 2.0 for Server to Server Applications
I have 2 applications, the old application is using Oauth2 to access the Google Analytics API. All current users have granted access to an email from my domain.
The second application is using credentials with Service account authentication.
The problem is that the email for the Service account keys is using a different domain:
"client_email": "xxx-service#xxx.iam.gserviceaccount.com",
I need it to use my old email from my domain that already have permissions from clients.
How can I do that, I already downloaded the json file for the Service account keys.
There is a diffrence between Oauth2 and service accounts.
Lets start with the old app using Oauth2. When a user starts using the application they are displayed the authentication form which asks them to grant application X access to their data. Assuming they accept it application X can now read there data. Application X is given a Refresh token which can be used to access the data at a later date.
In the background the developer of Application X registered their application on Google Developer console and was given a client id and client secret. When the user authenticated to the application the Refresh token is created using the client id and client secret. You can not take a different client id and client secret and use it with the refresh token from another application they are not interchangeable.
Service accounts are different in that they are preauthorized. If you take that service account email address you have and add it as a user on the Google analytics website admin section. The service account will have access to read the information just like any other user.
Clarifications / answers.
You can not pick the service account email address these are generated by Google.
You can't use a service account to access data granted to an application though Oauth2. they are not interchangeable.
If you have access to the users data using Oauth2 you should be using your refresh tokens to access their data you do not need a service account.
While connecting to filenet(in websphere) content engine
I have a requirement where we have some usernames and not there password and want to use them using the service user authentication , in a java standalone or J2EE application.
I can authenticate them using my own login module and without service user, but I am searching if its possible to authenticate them and perform action using the service user authentication.
What do you mean?
If you want to use some Service Account instead real user while you working with FileNet CE, you just need to create new Security Context with the new Subject, look to samples of connecting to filenet.
If you want to use User authenticated without password you need to use custom LoginModule or TAI (for WebSphere only).
I am developing a Spring MVC webapp that has Spring security enabled. I am trying to use OpenID to use gmail login for access to the webapp given instructions here.
I want only a specific set of users to have access to webapp. For this, I would be required to add all the users and their ID's to tag. (Later will implement a DB access for this)
My question is: How can I find the OpenID for my gmail account that will be used to access the webapp?
I understand that the OpenID is unique for each account and can be used for local authorization. Please correct me if I am wrong.
Set up an OpenID relying party, that logs the communication with the
OpenID provider.
Authenticate with your Google account.
Look at the logs.
The short answer is that Google OpenID URL is not account specific and is determined by https://www.google.com/accounts/o8/id.
Details:
In the background, OpenID consumers should fetch an XRDS OpenID document, which is located at https://www.google.com/accounts/o8/id. By parsing this document and doing the Service Discovery process, consumers will extract the Google OpenID Provider Address, which is identified by https://www.google.com/accounts/o8/ud.
This document tell consumers what are Google OpenID parameters.
Below is the google XRDS document which is located at https://www.google.com/accounts/o8/id:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/accounts/o8/ud</URI>
</Service>
</XRD>
</xrds:XRDS>