I am writing an android application for an University that uses Shibboleth for authenticating the students.
Since I am making a android native app (not a webview), I would like to programmatically pass the username and password and get back the user credentials of the user. Does Shibboleth have a restful api that I can use.
for ex. CAS has https://wiki.jasig.org/display/CASUM/RESTful+API which would allow me to programmatically send a username and password and get back the ticket credentials. Is there something similar for shibboleth?
Shibboleth does not provide a REST interface, but they do have a non-browser-oriented authentication profile called ECP.
https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
Shibboleth doesn't have any restful support. However you can still use JAAS + Java plugin + Rest client to do authentication by calling your Restful based authentication system. I had similar implementation
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
Could anyone explain what would be the best approach for this scenario?: There are 2 separate Service Providers:
System A is a server that works as a rest API for a mobile application.
System B is a website which login is handled with simple and plain cookies.
I have read a lot and Ive found that the most used protocols in use right now for these kind of systems are SAML and OAuth, where OAuth works specially to give security to API services and SAML for web applications (cookie based).
Ideally, what is being looked for is a single log in, which is right now handled for System B through cookies in the main domain.
Is there a way to use both SAML and OAuth? Or What would be a good way to go?
The answer depends on what IDP you currently have.
Is the IDP SAML based or is that just what you got from researching?
SAML and OAuth don't really play well together.
The ideal would be OpenID Connect where you could use the OpenID Connect token to get a REST API token. But that would involve using the same IDP for authentication for both.
It depends, If you have both app deployed on same server then you can use SSO with tomcat valve or JBOSS with picketLink. If your applications deployed on different domain then you need to use federation server with SAML like OpenId, OpenAM, Spring-saml with ADFS or any other IDP server.
For securing rest API, you have to use Oauth protocol. By implementing OAuth you will get Oauth token by providing userId and password. Then Oauth token can be used to access rest API from mobile or any other third party service.
I've been working whit the SAML extension to connect to an ADFS server. I've hacked the sample application to use my ADFS server and everything went well, but I would like to know if there is a way to connect to an IDP without using the loging page of the IDP. I mean if there is a way to do this process in background for the end-user. I am thinking about doing a query to ADFS or something like to get the users and do authentication from the SP login page, avoiding the need for the user to authenticate in the IDP login page.
The purpose of federated authentication is to delegate it to a centralized server in such a way that the relaying parties/service providers do not have access to user's credentials. Enabling authentication directly in your application would violate this principle and for this reason is not supported by neither Spring SAML nor ADFS.
If you want to authenticate your users directly, use authentication directly against Active Directory instead of ADFS. This will fully support your use-case.
I'm trying to integrate Facebook OAuth2 authentication with my own OAuth2 server. Just to be clear the scenario is the following:
I have a OAuth2 Server that is responsible for authenticating our users. I implemented a custom AuthenticationProvider that checks for the credentials provided and builds a UserDetails object if successful.
I also have a rest-api that is also a ResourceServer (runs in a different application). So users after being authenticated they can access our rest-api providing therefore the token.
The token information is shared using JDBC.
Everything works fine as expected, but now I want to add external authentication providers such as Facebook.
My question is: what's the best way to do this? What's the expected flow? From the top of my head I would imagine something like:
User authenticates with facebook
Facebook provides a token
User sends the token to our OAuth2 server
I check the token validity with facebook
I authenticate the user using the authentication provider
The server gets back to the user with a new token issued by my OAuth2 server which the user will use from now on to ask for resources
Is this right? If so, how can I send the facebook token to my OAuth2 server? Is there some kind of standard? Should I make up new parameters for that? For instance I will be needing some way to differentiate facebook authentications from user/password ones.
Am I suppose to use my own AuthenticationProvider to validate this facebook user? It seems strange then return a UserDetails object that doesn't have a password...
Also, how to register users and auto log them in? Do I have to expose an endpoint of my own or is there some OAuth2 magic for that as well?
Any thoughts?
Facebook has some very good documentation on this with the correct flow and how you should handle the process.
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2
You are on the right track, and I think the facebook documentation should help clear up any questions you may be having.
Additional Information is here:
https://developers.facebook.com/docs/facebook-login/v2.2
I am going to build a mobile ( and web) application which will allow email/password registration along with social (facebook, google) registration. Native or web app will call REST webservices (secured by Spring OAuth2). Social login will be handled by native /web app. REST service will not have any clue if user is logged in. In case of email registartion, username/password will be passed to WS.
Given the facts , what is the standard or good approach to secure REST services? Any experience with similar architecture?
Couple of ideas we are going through:
At the begining when app is launched, pass device id to WS. WS will send push notification to device silently (using apple/google ) containing one authorization code. This code will be passed for OAuth2 authentication. But not sure how to handle web application here.
Once user logs into social , obtain social id passoing token from social provider. Pass social access token and this id to WS. WS will validate the token against id making a call to the provider oauth service (e.g. https://graph.facebook.com/me?fields=id&access_token=XXX ).
Finally we decided to go with option#2 as it looks more robust and similar architecture has been used by many projects. We will pass social oauth token to REST service over secure HTTP.