Here is the scenario:
I have a web app with some RESTful APIs, the users are using an IdP to do SSO. I registered my web app (as well as many others 3rd party web apps) to the IdP and when the users want to use my web app, I will redirect users to the login page of the IdP and do normal SAML 2 stuff to authenticate the user. This part has been done already. Now once logged in, users can freely use any web app registered to the IdP. The next to do is to authorise some of these web apps (not all) to be able to use my RESTful APIs.
Different from the normal OAuth 2 granting flow, it is not the users allowing their 3rd party web apps to use my APIs, instead, I want to control which 3rd party web apps can use my APIs. Something like the user will request from me to grant a certain web app of his/hers to use which of my APIs. Or any other good suggestions I am all ears.
You could take a look at this spec, which provides more control of the distributed access tokens.
Related
Following up on the design outlined in Design for Facebook authentication in an iOS app that also accesses a secured web service, and specifically the concern listed in https://stackoverflow.com/a/12912616/5154090: what would be the mitigation?
Specifically, I have a web server that exposes a REST API which is consumed by a mobile app. I'd like users to authenticate to the server (via the app) using Facebook.
Now, an apparently common flow is for the app to redirect the user to Facebook, where they will login with their credentials. The app will then get a token which it will send to the server, and the server will validate the token using the graph API.
But how can the server make sure that the token really came from the app? Specifically, what's to prevent a malicious app vendor from re-using my app ID? After all, the app ID is hardcoded into the app and can therefore be extracted and used by a malicious app. If users log into that malicious app with Facebook, then the malicious vendor can get tokens with my app ID and can impersonate users of my service.
How can one protect against this?
To summarize for anyone else who happens to contemplate this - there is indeed no way to prevent the client ID from being spoofed. This is one reason that developers are discouraged from using the OAuth implicit flow in native apps as pointed out by Andre D in https://stackoverflow.com/a/17439317/5154090:
the use of the Implicit Flow with native apps is NOT
RECOMMENDED.
(see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-09#section-8.5).
In practice, if anyone mounts this attack, then the user will download App A (a malicious app) and will then be asked to authorize App B to make actions on their behalf. As far as I can tell, this is generally the only indication that an attack is taking place.
I'am trying to enter in the huge world of the SSO and making things to be clearer.
Here is my use case :
I have a web app (the RP in the SSO jargon) which uses a REST API. We have customers that would like to use a SSO way to connect to our web application and our API.
For example, a user "A" from our customer "A-Company" is connected to its intranet. And in this intranet there's a link to our Web App. If this user A clics on it the Web App must redirect it to the IDP of the "A-Company". User A then signin and gets an access token and is redirected back to our web app. Then, our web app validate this access token, get the claims and etc ...
If a user "B" from our customer "B-Compagny" wants to do the same, it'll have to be redirected to its own IDP too.
How this can be achieve using IdentityServer3? How my WebApp (the RP) knows where to redirect the incoming request to be authenticated (to IDP-A or IDP-B or elsewhere ...)
Is this use case illustrates what is called "Identity federation"?
I was looking at OpenID Connect and ThinkTecture IdentityServer V3 that seem to be a very good product but I have some difficulties to see if it will fit my needs.
Thank you for your help
Fred
I'm building a web service for use as an api component in web sites or apps built by others.
I am building a set of functionality that my clients can use on their sites for their users, but which are served by my application.
One of these services is user login. I intend to support multiple types of logins, and provide the client application a user token once the user is logged in. So the client application only has to implement one login interface, but they get a variety of oauth2 strategies for it.
To make this work with their google or facebook accounts, they would have to provide my app with their application id and secret key. Entering a secret key on someone else's site, even for integrating with your own site seems dangerous. They call it a "secret" key for a reason.
I have found one web service which seems to be doing something similar to what I am planning to do:
https://www.authic.com/documentation/google_oauth2
They have a configuration page for client accounts where the user enters oauth2 credentials to enable the Authic oauth2 login pages on behalf of the client app.
What are the security concerns to be aware of with this kind of service, and can the client app use a service like this safely? If it can be used safely, what is required for safe use? I think the app doing the oauth2 interface would be able to do other things on behalf of the client app, since it has an app secret, and the client app owners would have to trust that this was not happening.
The alternative to this strategy seems to be using my own application id with oauth2, and having the client apps redirect to my app's login page. Then the user will see the oauth2 permissions page with my app's logo instead of the app they were intending to log in to.
I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.
I have a web application that's going to be available for all users on my google domain.
Is there a way of allowing the application to manage user's emails, calendar, etc without requiring the user authorization using the fact that all users are part of the domain?
You will need to have a look into Google Apps 2-Legged OAuth APIs, they will allow you to access/manipulate users data without their authorization.
You can find the list of available 2-Legged OAuth APIs here.
Unfortunately you will see that you cannot do as much with the 2-Legged API as you can with the 3-Legged API. However, 3-Legged OAuth requires the users consent at least once.