We have a Spring Boot Web Application serving some REST API and the client consuming these API is a mobile app developed in React Native.
Now we need to secure the APIs and we're going to use Keycloak with Google as Identity Provider.
The integration between Keycloak and Google auth it seems pretty straight forward but I'm not able to understand the entire flow among parts and how to join the Browser login (on Keycloak page that redirects to Google authentication) in order to get a valid access token to perform API calls from mobile app.
I'll try to exaplain in another way, I supposed that:
Mobile app shows a web page (with Its browser) in order to perform the Keycloak login.
The end user using the mobile app press the Google button on Keycloak web page and begin redirect to Google for the authentication.
Google authentication the user and send a redirect URI with identity token and access token to the browser
...
then
...
is it correct to get the access token from the URI and use it form the subsequent API calls?
Is it supposed to work in this way?
I have to say that We also have and API Gateway (Ambassador) in front of our Web Application (containerized in a Kubernetes cluster).
I read different articles online but I'm still confused with the best approch.
Any suggestion is welcome.
Thanks.
Related
I am working on some OAuth 2.0 standards and non-standards flows to allow some clients to take the advantages of the SSO and give the users the native experience regarding the client that he/she working on.
One of the clients is a flutter App, so I followed the Authorization Code Flow with PKCE. The flow itself is a pretty straight forward to open a browser so you can exchange the code in this front channel with the access token through a backchannel. Things getting a bit complex while trying to authenticate via an external provider like Facebook. From the OAuth standard, it's easy to just pass the &acr_values=idp:Facebook.
The problem is when trying to follow the Authorization Code Flow with PKCE or even the old implicit flow to get access token through the Facebook, it opens the browser to ask you entering the Facebook username and password, but this is not the native experience as instead of that I want the web view to redirect the user to the app to authenticate via it instead of the browser like what's happening using the native Facebook SDK or Firebase SDK?
The only solution that I am following right now is following a non-standard authentication flow that I implemented myself to use the Flutter's Facebook SDK to get the Facebook token then exchange this token with my IdentityServer4 token after that (described here) which seems very user-friendly experience but complex and at the same time not standard.
So, is it a way to use the Authorization Code Flow with PKCE to get the access token from the IdentityServer4 using Facebook as an external provider and use the Facebook app instead of the browser to authenticate so we can give the user a native experience and follow the best OAuth2.0 practices at the same time??
I'm trying to learn how to utilize auth0 to handle user authentication for an api I am currently creating.
My api has two endpoints:
Login endpoint: /api/login
Request access token endpoint: /api/auth?code={code}
Here the authentication flow is:
User goes to the login endpoint of my api.
User is redirected to auth0 ui.
User inputs their login credentials.
Auth0 redirects back to /api/auth where a request for an access_token is made using the login code.
Firstly, is my understanding the Oauth authentication flow correct? If so, how best should my api handle the initial login redirect to auth0?
Because at the moment when I hit up /api/login from the front-end ui it just returns the html of the login page at auth0. Should I instead return a 302 with the redirect url or is it possible to create an endpoint where the user inputs the username & password via my api and avoids the redirect?
---update---
After a user has authenticated via auth0 they receive a access_token and id_token which should my api use to verify the user is who they say they are?
Not sure if my understanding is correct but I belive that my frontend ui is the OAuth client application and my API service is an OAuth resource server. As such does my api need to call out to auth0 /userinfo to verify the user?
Assuming you are trying to protect an end-user application (your question wasn't clear on that), my understanding is if you are using Auth0, you likely won't need an /api/login and api/auth API. If you are using Auth0 you can get those things during your authentication via Auth0.
I would say your APPLICATION (not API) would redirect the user to the Auth0 login endpoint. You would do that by incorporating the Auth0 SDK of choice, depending on what you're building. For example, if you're building a web app, you may choose to incorporate auth0.js and call webAuth.authorize() to trigger the login. During that login, if you have configured an API within Auth0, and you provide the proper Scope and Audience during your login, your response will return an API token.
Then your user is in a state on the client side where you are logged in, and you have a token. You can then provide that token to your API, and your API can validate that token as needed. Auth0 also has various libraries for token validation (like this spring security one, for example).
Lastly, the question on which oAuth flow to use, that also depends on what type of app you're protecting. There are again Auth0 docs to help. The flow depends on if you're building a server-side web app, a SPA, a native app, etc. Your question was a little confusing, and it sounded a bit like you are building an API and want to protect that. If there is no client-side app (only machine-to-machine API calls), then you wouldn't be dealing with HTML and login pages. You'd likely be getting into the Client Credentials flow, which last I checked was only included for Enterprise Auth0 users.
I'm trying to build a application based on RESTful API and I'd like to provide a method for authentication both JWT and 0auth (JWT for user access and 0auth for app access).
In short I'd like to do:
User Access (Web App, Mobile App - JWT)
------------------------> /
-----------------------> /api/login
-----------------------> /api/logout
Client's app (API KEY - 0auth)
------------------------> /services/getInfo
/services/getProducts
A user can use the web application and could wish to integrate some functionality of its app with my services, like Facebook, Github and so on..
I ain't sure about this approach because it's the first time I design a big application.
The questions are as follows:
Should I also use JWT for authentication by app?
Using JWT, can I trace how many request the apps do?
Can I revoke a JWT token?
Is 0auth protocol better than JWT for authentication by app?
Oauth 2.0 is an authorization protocol and it shouldn't be used for authentication. Consider using Openid Connect for your scenario. It works on top of oauth so the flow would be identical with some improvisations for authentication.
In this case, you can register your application to use the same protocol for both end users as well as for calls within your applications.
Please explore client credentials flow for app access and implicit/hybrid flow for Web App.
Openid connect uses jwt tokens for authentication and authorization.
Identity server 3 is a certified implementation of Openid connect. Their documentation is good and they have an active support forum to help you with queries.
Please Refer :
https://www.safaribooksonline.com/library/view/identity-and-data/9781491937006/ch04.html
https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/
https://github.com/IdentityServer/IdentityServer3
https://github.com/IdentityServer/IdentityServer3.Samples
I'am trying to enter in the huge world of the SSO and making things to be clearer.
Here is my use case :
I have a web app (the RP in the SSO jargon) which uses a REST API. We have customers that would like to use a SSO way to connect to our web application and our API.
For example, a user "A" from our customer "A-Company" is connected to its intranet. And in this intranet there's a link to our Web App. If this user A clics on it the Web App must redirect it to the IDP of the "A-Company". User A then signin and gets an access token and is redirected back to our web app. Then, our web app validate this access token, get the claims and etc ...
If a user "B" from our customer "B-Compagny" wants to do the same, it'll have to be redirected to its own IDP too.
How this can be achieve using IdentityServer3? How my WebApp (the RP) knows where to redirect the incoming request to be authenticated (to IDP-A or IDP-B or elsewhere ...)
Is this use case illustrates what is called "Identity federation"?
I was looking at OpenID Connect and ThinkTecture IdentityServer V3 that seem to be a very good product but I have some difficulties to see if it will fit my needs.
Thank you for your help
Fred
I'm building a web service for use as an api component in web sites or apps built by others.
I am building a set of functionality that my clients can use on their sites for their users, but which are served by my application.
One of these services is user login. I intend to support multiple types of logins, and provide the client application a user token once the user is logged in. So the client application only has to implement one login interface, but they get a variety of oauth2 strategies for it.
To make this work with their google or facebook accounts, they would have to provide my app with their application id and secret key. Entering a secret key on someone else's site, even for integrating with your own site seems dangerous. They call it a "secret" key for a reason.
I have found one web service which seems to be doing something similar to what I am planning to do:
https://www.authic.com/documentation/google_oauth2
They have a configuration page for client accounts where the user enters oauth2 credentials to enable the Authic oauth2 login pages on behalf of the client app.
What are the security concerns to be aware of with this kind of service, and can the client app use a service like this safely? If it can be used safely, what is required for safe use? I think the app doing the oauth2 interface would be able to do other things on behalf of the client app, since it has an app secret, and the client app owners would have to trust that this was not happening.
The alternative to this strategy seems to be using my own application id with oauth2, and having the client apps redirect to my app's login page. Then the user will see the oauth2 permissions page with my app's logo instead of the app they were intending to log in to.