The Wikipedia article says
Other shared authentication schemes not to be confused with SSO
include OAuth, OpenID, OpenID Connect and Facebook Connect, which
require the user to enter their login credentials each time they
access a different site or application.
but I've seen OpenID and SAML compared as if they are trying to achieve the same thing (the above article says SAML is an SSO mechanism).
Can someone explain why OpenId is not an SSO mechanism?
Forget about that article, that's the most confusing story around SSO I've ever read, containing statements that are plain wrong.
OpenID is an SSO mechanism, just like SAML, OpenID Connect and Facebook Connect. LDAP and OAuth are not SSO mechanisms, but one could build an SSO mechanism on top of OAuth, which is what OpenID Connect and Facebook Connect are.
Related
Background
I'm trying to implement social login using GitHub accounts and OpenID Connect, but I can't figure out what GitHub endpoints I'm supposed to:
redirect the user to and
POST the authorization code to
...to get back an ID token, or if I already have the right endpoints but the wrong parameters.
I've been following/adapting this guide to implementing social login with OpenID Connect (which uses Google as the Identity Provider rather than GitHub) and referring to the "OAuth 2.0 web application flow" GitHub docs page to try to understand how I need to adapt the guide to work with GitHub (i.e. what GitHub endpoints and parameters I need to use).
My problem
When I POST the authorization code to https://github.com/login/oauth/access_token (the URL specified in GitHub's docs) I get back an access token and a refresh token but no ID token. I suspect this is because the GitHub docs page is meant to be used to implement a plain (non-OpenID Connect) OAuth 2.0 flow.
What I've tried
I did a lot of Googling and found these 2019 slides from PragmaticWebSecurity.com that say I need to initially redirect the user to a different endpoint (https://github.com/openid-connect/auth rather than https://github.com/login/oauth/authorize, see slide 29), but when I try to do that, I get a 404 error from GitHub. I tried emailing the guy who created those slides to ask if the endpoint had changed, but he hasn't responded to me.
These are my guesses at what the answer to my question is:
GitHub doesn't support OpenID Connect / it isn't possible to get back an ID token; I need to just use the access token to query the API to get back whatever information I need about the user.
This would explain why I can't find any mention of social login with OpenID Connect in GitHub's docs.
I have the right endpoint (https://github.com/login/oauth/access_token), but I'm missing some required parameter to get back an ID token.
I have the wrong endpoint.
I contacted GitHub Support and got an official response: Their API doesn't support OpenID Connect for social login.
Here's their full response:
Hi Nathan,
Thanks for reaching out!
GitHub OAuth flow does not currently support the OpenID connect
functionality. You'll need to use the OAuth 2.0
https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps
Regards,
Oluwaseun GitHub Support
So, until they add support for OpenID Connect, you can refer to this write-up I did on how to implement social login using OAuth 2.0:
How do I implement social login with GitHub accounts?
From your guesses 1) and 2).
github oauth apps currently do oauth2 not oidc, it kind of stares in your face with the name, but I missed it as well.
I'll leave this for others researching this.
oauth2 != oidc, Depending on your use case you might have a client library that supports both, the config will look the same, but the response is different and needs to be handled correctly.
As per OpenID specification, I think you'll need to authenticate with OAuth2
The primary extension that OpenID Connect makes to OAuth 2.0 to enable
End-Users to be Authenticated is the ID Token data structure. The ID
Token is a security token that contains Claims about the
Authentication of an End-User by an Authorization Server when using a
Client, and potentially other requested Claims.
...
The OpenID Connect protocol, in abstract, follows the following steps.
The RP (Client) sends a request to the OpenID Provider (OP).
The OP authenticates the End-User and obtains authorization.
The OP responds with an ID Token and usually an Access Token.
The RP can send a request with the Access Token to the UserInfo Endpoint.
The UserInfo Endpoint returns Claims about the End-User.
Then you should be able to forward through OpenID the token, once you have set up the trust between the Authentication provider and the Autorization provider.
I'm trying to build a application based on RESTful API and I'd like to provide a method for authentication both JWT and 0auth (JWT for user access and 0auth for app access).
In short I'd like to do:
User Access (Web App, Mobile App - JWT)
------------------------> /
-----------------------> /api/login
-----------------------> /api/logout
Client's app (API KEY - 0auth)
------------------------> /services/getInfo
/services/getProducts
A user can use the web application and could wish to integrate some functionality of its app with my services, like Facebook, Github and so on..
I ain't sure about this approach because it's the first time I design a big application.
The questions are as follows:
Should I also use JWT for authentication by app?
Using JWT, can I trace how many request the apps do?
Can I revoke a JWT token?
Is 0auth protocol better than JWT for authentication by app?
Oauth 2.0 is an authorization protocol and it shouldn't be used for authentication. Consider using Openid Connect for your scenario. It works on top of oauth so the flow would be identical with some improvisations for authentication.
In this case, you can register your application to use the same protocol for both end users as well as for calls within your applications.
Please explore client credentials flow for app access and implicit/hybrid flow for Web App.
Openid connect uses jwt tokens for authentication and authorization.
Identity server 3 is a certified implementation of Openid connect. Their documentation is good and they have an active support forum to help you with queries.
Please Refer :
https://www.safaribooksonline.com/library/view/identity-and-data/9781491937006/ch04.html
https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/
https://github.com/IdentityServer/IdentityServer3
https://github.com/IdentityServer/IdentityServer3.Samples
Can someone confirm whether Facebook Login API (https://developers.facebook.com/docs/facebook-login/v2.2) is based on OpenID Connect (http://openid.net/connect/) specification?
No it isn't at the moment. Uses OAuth2 (also used by OIDC)
This page
https://developers.google.com/identity/
states that the "Google Sign-In" secure authentication system "gives you ... federated sign-in with ... Facebook".
Google Sign-In is based on OpenID Connect.
I am not sure if the actually answers your question in the affirmative because the rest of the page only talks about signing in with Google.
I'm confused about facebook and whether or not facebook is an openid provider like google.
According to this link: http://developers.facebook.com/blog/post/246/, facebook is an openid relying party. What does that mean, and is that different from an openid provider like google.
Basically, I am currently using lightopenid to allow users to use their openid's to log into my site, but can't seem to find a url for facebook's openid authentication to do this.
I have seen a question similar to this which confuses me because in that question, the questioner was told that facebook is not an openid provider, yet facebook documentation says something that facebook is a openid relying party...???
Facebook is an OAuth provider. You need to use OAuth if you want to allow Facebook users to authenticate against your service.
Being an OpenID Relying Party means that Facebook accepts OpenID logins from their users, e.g. you can log in to Facebook with your Google account. Your service is also a Relying Party if it allows users to authenticate using their OpenIDs.
For more information on the terminology used by OpenID, see the OpenID Wikipedia article.
Referencing Is Facebook an OpenID provider? here. This is kind of an additional question based on it.
I have also read the article at : What is the "openid" url of facebook? - but I am still pretty confused on the whole ordeal. The goal is for people who use facebook to easily login to our website, not to neccessarily integrate with facebook and add things to it (yet). I have read the documentation on facebook connect and am still having trouble grasping exactly what we need to do to accomplish this.
I notice that it says that facebook accepts openid logins - so in theory someone with a facebook account could login to a site that took other openid logins, correct? Or do I have to code a separate 'facebookconnect' system just to accept logins from facebook accounts?
There is a difference between an OpenID provider (who gives you a URL you can log into other sites with) and an OpenID consumer (who lets you log into their site using an OpenID URL).
Someone who "accepts openid logins" sounds like a consumer, but your description "someone with a facebook account could login to a site that took other openid logins" is describing a provider.
There's nothing stopping a site being both a consumer and a provider, but as far as I know, Facebook isn't one.
You have to code a separate "Facebook Connect" system just to accept logins from Facebook accounts, they do not use the OpenID standard.
RPX is a commercial service that offers a way to cut down on some of the confusion.