I Have separate Authentication app and multiple spa apps hosted on subdomains and I want to share the JWT token generated (which is generated when the user logs in from authentication app) from Authentication app to other apps hosted under subdomains. How can I do that?
ex: xyz.com is the main domain and x1.xyz.com, x2.xyz.com are the subdomains)
Basically you need a SingleSignOn system. Before selecting a protocol or framework (or not) consider what kind of flow you need:
Option 1 redirections: (e.g openid or saml)After login in the main domain, redirect user to subdomain sending the JWT. Attach the token when jumping from a subdomain to other. Enable a classic SSO based on sessions in the main domain to redirect user when access directly to a subdomain without token.
Option 2 shared token across domain: (e.g google webs) Authenticate in the main domain and store the JWT in a cookie / localStorage of the main domain which is connected from the SPA in subdomain using an iframe See full answer here: https://stackoverflow.com/a/40555970/6371459
Related
I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.
You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.
Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.
My understanding (which may be incorrect) of Keycloak is that once an User has logged in and is authenticated, the access-token/JWT is then stored as a cookie in the browser (under the default name 'kc-access').
Is it possible to configure keycloak to instead store the access-token directly as a Bearer Token instead of in a cookie?
Asking as I wish to use Keycloak to secure a web application, however most resources I have read on Authentication usually talk about access-tokens stored as Bearer Tokens, rather than as cookies.
From the Keycloak documentation, I cannot see any mention of options to store the access-token as a Cookie OR Bearer Token - Am I misunderstanding how Keycloak is meant to be used for providing authentication for web applications?
Keycloak is used as a Single-Sign-On (SSO) provider. As such, it is designed to be used with multiple components. It is designed to keep a session open on the user's browser with a cookie. This session is private to Keycloak. The authentication flow then provides your application with a token that authenticates the user. Your application will then usually set it's own cookie to establish a session for the user and avoid having them login on each page.
When you login with Keycloak, it keeps a session open with your browser by storing a cookie there. The length of this session and other factors are configurable in your realm settings.
When you use Keycloak to login to another app, such as your web app, you use OpenID Connect (or SAML) as a protocol to authenticate the user with a flow similar to the following:
The user's browser is redirected from your application to Keycloak,
which checks whether the user already has a session, requires them to login (and create a session) if they are not yet logged in on keycloak
Redirects the user back to your web app with a short lived code
Your application connects to keycloak to exchange the code against a token.
Your application reads the token to identify the user and possibly stores it if it needs to access third party resources as the user using OAuth2.
Your application creates a session cookie to keep the user authenticated.
Most of these steps should be handled by a library. Keycloak provides many OpenID adapters for popular frameworks and servers, such as Apache and Tomcat.
The session cookies can be any string so long as they are unique and private between the browser and your application. They identify the user from the browser across requests. The bearer token is generally used to authenticate or to connect to stateless services such as APIs.
You can find documentation about the OpenID protocol here: https://openid.net/connect/faq/ .
I have multiple subdomains using Facebook Login. I found that when adding a new subdomain, adding it into App Domains list in Basic page does not enable it. Adding the subdomain into Domain Manager in Advanced page makes it work.
so question 1: what is the difference between the 2?
In another question, it says that App Domain is supposed to be where the 'server side' files are located at.
background for question 2:
I have an API and a client that uses the same Facebook app. I assume that the api's URL should be in App Domain. But for the client, all the subdomains actually use the same codebase. I use AWS CloudFront to manage the HTTP requests from all subdomains and have them use code from the same S3 bucket. So essentially, the code is actually hosted in the s3 bucket which has 'Website Hosting' enabled.
question 2: should I just add the s3 bucket hosting URL, and ignore the subdomain URL's?
"App Domains" contain the domains and subdomains which can be used to perform Facebook Login, Share, Canvas etc on behalf of your app. Source, source.
In "Domain Manager" you add domains that will be allowed to prefetch content, for example when you Share of point Ads at a domain. Source.
If you're using Facebook Login, you also need to add "Valid Oauth Redirect URIs" under
Facebook Login / Settings as well.
Question 2: The page that makes the call to Facebook should be entered in App Domain (and possibly Domain Manager if you use Facebook Share.
I'am trying to enter in the huge world of the SSO and making things to be clearer.
Here is my use case :
I have a web app (the RP in the SSO jargon) which uses a REST API. We have customers that would like to use a SSO way to connect to our web application and our API.
For example, a user "A" from our customer "A-Company" is connected to its intranet. And in this intranet there's a link to our Web App. If this user A clics on it the Web App must redirect it to the IDP of the "A-Company". User A then signin and gets an access token and is redirected back to our web app. Then, our web app validate this access token, get the claims and etc ...
If a user "B" from our customer "B-Compagny" wants to do the same, it'll have to be redirected to its own IDP too.
How this can be achieve using IdentityServer3? How my WebApp (the RP) knows where to redirect the incoming request to be authenticated (to IDP-A or IDP-B or elsewhere ...)
Is this use case illustrates what is called "Identity federation"?
I was looking at OpenID Connect and ThinkTecture IdentityServer V3 that seem to be a very good product but I have some difficulties to see if it will fit my needs.
Thank you for your help
Fred
I'm building a web service for use as an api component in web sites or apps built by others.
I am building a set of functionality that my clients can use on their sites for their users, but which are served by my application.
One of these services is user login. I intend to support multiple types of logins, and provide the client application a user token once the user is logged in. So the client application only has to implement one login interface, but they get a variety of oauth2 strategies for it.
To make this work with their google or facebook accounts, they would have to provide my app with their application id and secret key. Entering a secret key on someone else's site, even for integrating with your own site seems dangerous. They call it a "secret" key for a reason.
I have found one web service which seems to be doing something similar to what I am planning to do:
https://www.authic.com/documentation/google_oauth2
They have a configuration page for client accounts where the user enters oauth2 credentials to enable the Authic oauth2 login pages on behalf of the client app.
What are the security concerns to be aware of with this kind of service, and can the client app use a service like this safely? If it can be used safely, what is required for safe use? I think the app doing the oauth2 interface would be able to do other things on behalf of the client app, since it has an app secret, and the client app owners would have to trust that this was not happening.
The alternative to this strategy seems to be using my own application id with oauth2, and having the client apps redirect to my app's login page. Then the user will see the oauth2 permissions page with my app's logo instead of the app they were intending to log in to.