I am trying to find it in the developer doc but no luck:
https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/
Does GitHub expose a discovery endpoint for openid?
Appears Github only supports OAuth and not OpenID Connect.
This implies that only OAuth Client's are delegated access to a resources which belong to another.
Related
We are currently evaluating the possibilities of keycloak since we need to replace a custom SSO solution. This requires us to connect to external IDPs which we already connected to.
Currently I am investigating an OpenID-Connect Provider which is authenticating the clients via POST using client_id and client_secret as parameters. Additionally, its API is secured with a basic authentication via the Authorization header. Whilst the first part is no problem, I have not found a solution to overcome the additional basic authentication with the available default configurations (using a user-defined OpenID Connect V1.0 provider). Vice versa, I can overcome the basic authentication, but then will miss the client_id and client_secret parameters which results in an error of the IDP not returning an access token.
Is there a way to resolve this issue? If not via default options, is there an option to add custom IDPs which can be configured in the backend? I saw the SPIs in the developer documentation (https://www.keycloak.org/docs/latest/server_development/#_providers) but I am not sure if one of those suits our needs.
I have added an identity provider with OpenID connect V1.0 and used Google endpoints. I have provided the option ?hd=X.com(https://accounts.google.com/o/oauth2/v2/auth?hd=X.com) to restrict the login, but as per the google doc, it says HD is an optional parameter. How to validate if the token received from Google after login from keycloak perspective and restrict login?
For anyone still curious about this answer, as of KC 11.0.0 the KeyCloak server is explicit that it will validate the response from Google matches the hd parameter you set in KeyCloak, as seen here:
According to this post from 2014, https is not available to static sites on google cloud engine: https://stackoverflow.com/a/22767544/46799
Is this still the case? If so, are there any plans add this functionality?
My site is hosted on GCS and I have a cname entry which maps my url to a bucket on GCS. I need to start providing access to the site through https now, am I out of luck?
This is still the case, sorry. You can access GCS via HTTPS, but not via CNAME redirects.
Google had implemented OpenID Discovery Spec at https://accounts.google.com/.well-known/openid-configuration which allows developers and users to find the necessary URLs and keys for OpenID authentication.
I was wondering what the Facebook and possibly other (e.g. Microsoft Live) equivalents are so I can use Facebook and others in a standard fashion.
SalesForce also has a discovery URL https://login.salesforce.com/.well-known/openid-configuration
Here is OpenID Configuration For Facebook
https://www.facebook.com/.well-known/openid-configuration/
Facebook's login mechanism/protocol is not based on OpenID Connect. Facebook uses a proprietary extension of OAuth 2.0 but it is not the standardized one that OpenID Connect specifies. Hence there's no point in expecting Facebook to publish OpenID Connect Discovery documents, unlike Google and Salesforce that do adhere to the standard.
Here is the OpenID Connect Discovery URL for Microsoft Azure AD:
https://login.windows.net/common/.well-known/openid-configuration
More information here.
We're trying to test out WSO2 API manager and having troubles adding some APIs. MailChimp was added easily because MC has not OAuth Credentials itself. But when trying to add Facebook or another API that has it's own API manager it doesn't work and constantly get a 401 Unauthorized. This is becaused both Facebook and WSO2 API Manager need OAuth tokens and obviously you can only send one Authorization header. Any help here?
WSO2 ApiManager 1.0 still does not support (OAuth) secured back-end services out of the box. Hence it is not possible to register facebook, twitter apis via APIM.
Right now, an application is sending and authorization header to the APIM with a key issued by the APIM. Ideally if you send another authorization header, that will be forwarded to facebook api, but at the API Gateway level you need to remove the processed header which belongs to the APIM authorization.
Adding backend services with security will be added as a new feature to APIM future releases.
Regards,
/Nuwan
Can you please explain why you want to use the API manager here? You can directly send your request to Facebook where the request is authorised.