I am developing a Spring MVC webapp that has Spring security enabled. I am trying to use OpenID to use gmail login for access to the webapp given instructions here.
I want only a specific set of users to have access to webapp. For this, I would be required to add all the users and their ID's to tag. (Later will implement a DB access for this)
My question is: How can I find the OpenID for my gmail account that will be used to access the webapp?
I understand that the OpenID is unique for each account and can be used for local authorization. Please correct me if I am wrong.
Set up an OpenID relying party, that logs the communication with the
OpenID provider.
Authenticate with your Google account.
Look at the logs.
The short answer is that Google OpenID URL is not account specific and is determined by https://www.google.com/accounts/o8/id.
Details:
In the background, OpenID consumers should fetch an XRDS OpenID document, which is located at https://www.google.com/accounts/o8/id. By parsing this document and doing the Service Discovery process, consumers will extract the Google OpenID Provider Address, which is identified by https://www.google.com/accounts/o8/ud.
This document tell consumers what are Google OpenID parameters.
Below is the google XRDS document which is located at https://www.google.com/accounts/o8/id:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/server</Type>
<Type>http://openid.net/srv/ax/1.0</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/mode/popup</Type>
<Type>http://specs.openid.net/extensions/ui/1.0/icon</Type>
<Type>http://specs.openid.net/extensions/pape/1.0</Type>
<URI>https://www.google.com/accounts/o8/ud</URI>
</Service>
</XRD>
</xrds:XRDS>
Related
I'm working on a web application that uses OpenId authentication. Let's assume that the application essentially serves to store metadata and its associated files (docx, pdf). The Web Application is for internal use and is not exposed to public network, only users of the organization have access.
Recently, a requirement has arisen to be able to share files with users external to the organization. External users will use a PORTAL (third-party application) which, through a URL generated by the Web Application that points to the PORTAL, will have access to the file. This PORTAL uses OpenId authentication and invokes a Web Application API to retrieve the file.
Initially, the proposed solution was:
Web Application - Send EMAIL to the external user and create a user in Keycloak with Email to authenticate later on the PORTAL (Is this really necessary?! Biggest doubt).
The external user accesses the PORTAL with the URL received and authenticates with the user created by the Web Application on Keycloak.
Once authenticated on PORTAL, a WebApplication API is invoked to obtain the file.
The main question is whether the Web Application should manage the creation/editing/deleting of external users on Keycloak. Does the Web Application need to create users in Keycloak? Is there another way to accomplish this without compromising security?
Thanks in advance.
To share a file with restricted access, there are two approaches:
Open access with signed links: Create a signed URL using a web API and share it with external users. The link can be a static URL with an encrypted key, or a JWT signed token in base64 form generated by the web API. When the portal receives a request, it checks the validity of the token, retrieves the file location from the token, and allows access.
Email-restricted access: If you want to guarantee access only to the person with email xxx#abc.com, you'll need to use a challenge, which is typically a login. You can either create users on the fly after login (if the external users come from a partner with OIDC capability), or pre-create the users if this is not the case.
Note: You cannot rely solely on a URL with an email claim as proof of access, as the link may have been forwarded to someone else.
I am creating a web application with Spring Boot and JSF and my intention is to create courses in google classroom from my application.
I followed the example of Google to authenticate myself by Oauth: https://url.miapp.io/oS2mx
Implement that ClassroomQuickstart class from the example, but when you use the method getService() in my web application, it sends me in the Tomcat Embeded Console (Spring Boot) a Google URL for authenticate by myself from a browser and I can continue with the flow of my code.
In other words, authentication works in interactive mode waiting for me to authenticate from the browser so the application can continue the execution flow, I don't know what I should do so that I don't have to authenticate myself in this way, I don't know if it's the code that implements it as it is or has to do with the configuration in the google developer console.
3-legged OAuth:
You are currently following a 3-legged OAuth process, in which there are three parties involved: (#1) end-user, (#2) application and (#3) authorization server. In this OAuth flow, users need to give explicit consent to the application through the browser via a consent screen.
2-legged OAuth:
Since you want to avoid that, you should use a service account to access this application, so that users are not directly involved and user consent is not required. This workflow is usually called 2-legged OAuth (only the application and the authorization server are involved). See Using OAuth 2.0 for Server to Server Applications for a more in-depth explanation.
Since you don't want the service account to run the application by itself, but to act on behalf of other accounts in the domain, you should grant it domain-wide authority so that it can impersonate other accounts in the domain.
Workflow:
To achieve this, you have to follow these steps:
Create a service account by following this guide.
Delegate domain-wide authority to the service account (you have to be a domain administrator to do this): this step authorizes the service account to access data on behalf of any user in the domain. Follow the steps indicated here.
Once you have delegated domain-wide authority, you have to modify the code related to the building of the OAuth credentials. Use, for example, the code sample provided in this answer:
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("service-account#email-address") // Service account email
.setServiceAccountPrivateKeyFromP12File(new File("your-credentials.p12"))
.setServiceAccountScopes(Collections.singleton(ClassroomScopes.CLASSROOM_COURSES))
.setServiceAccountUser("user#email-address") // Your email address (address of the user you want to impersonate)
.build();
In this case, user#email-address refers to the account on behalf of which the course should be created. In order words, it will be the account that the service account should impersonate. Regarding theP12 file, it should be downloaded from the Cloud Console, as explained here. This can be done with a JSON file instead of P12 (see here).
Reference:
Using OAuth 2.0 for Server to Server Applications
I have to implement single sign on existing webforms application.
Before OpenID we were using OWIN OAuth library to have single sign on for external logins such as Facebook or google.
I have found that now OpenID is used for external logins but I also found that Identity Server 4 is also used as middle ware on top of OpenID to generate and verify tokens.
Why one would create a complete token verification system (Identity Server 4) if he can use google and facebook authentication using OpenID?
I want that my webform application should include external logins but I am confused what should I use (Identity Server 4 or OpenID connect)?
If OpenID then please let me know that this article is the right path to get start.
IdentityServer4 is simply an implementation of the OpenID Connect Provider specs (Basic OP, Implicit OP, Hybrid OP, Config OP) that allows you to build your own identity service.
Unless you want to build your own identity provider/secure token service then you do not need to use it. If you just want to consume 3rd party OpenID Connect providers like Google and Facebook then you can implement that using the Azure AD guide you linked to.
I'm new to spring boot and I want to integrate openId provider into our application. I have searched a lot about it but didn't find any suitable article from which I can start.
Problem statement:
Once user hits our websites url(ex. www.abc.com) the user should be redirected to openID provider's(login page) server where the user puts username and password or register him/herself.
After successful authentication, user then given the access to our application where in application needs to retrieve few informations about user (basically data exchange between openID provider and application).
how exchange key to generate a shared secret-key?
I have end point of openId provider and service discovery endpoint.
Would someone help me out with this?
We have a Windows 7 Task Tray application that needs to access services in our Google App Engine application, and we are having difficulty making the OAuth connection between them work. For some reason our OAuth libraries that work with the Twitter and Tumblr OAuth implementations do not seem to work in this scenario with Google. Google is returning a 400 bad request response to the last step in the OAuth authorization sequence.
To debug the problem I am trying to use Google's OAuth 1.0 Playground page (http://googlecodesamples.com/oauth_playground/index.php). But I can't figure out what should be entered for the "scope" in step 1. If I enter the name of our GAE server the sequence will fail with the error message "Invalid scope". Clearly, choosing one of the provided scopes (the Google API services) is not an option for us.
Can anybody tell me how the OAuth scope designation should be set when accessing Google App Engine hosted services?
just for reference look at this blog,looks helpful in your case
http://ikaisays.com/2011/05/26/setting-up-an-oauth-provider-on-google-app-engine/
I think this Google Official Docs explains best how to set up an endpoint to your own appengine application. You question isn't very specific, but take note of the following that is being written in this document:
The scope of an authorization, how much the consumer is allowed to access, is for all of a single app. App Engine only supports whole-app scopes, and does not support more granular scope requests. When Google Accounts prompts the user to authorize a consumer, the prompt explains that the consumer is requesting permission to access the full app.
And did you set up OAuth on your domain?
The consumer performs OAuth actions using a set of standard web service endpoints. These endpoints use reserved paths on your app's domain. For example, if your app uses a Google Apps domain of www.example.com, the endpoints for the OAuth protocol begin as follows:
https://www.example.com/_ah/OAuth...