I am a bit confused implementing SSO with RESTful API. So far, I have used RESTful API to authenticate and get a token-id.
How should SSO can be implemented? To get a token validated, it must be saved somewhere as a cookie or something. Is there any way to do this?
I you want to do SSO yourself you have to mimic OpenAM's SSO session tracking mechanism which uses cookies.
Related
I am developing a SPA web app with REST API using Node. I read in many sources that the JWT should not be stored in localStorage of the browser; but instead should be set using cookie with httpOnly flag set. I have also read that mobile apps and SPAs should used token-based authentication.
If I should use token-based authentication, where should I store the token in the client?
While setting cookie is possible to do in web client, how can I use the same REST endpoint when I develop clients for mobile? I am not sure if mobile apps use the concept of cookies.
Suggestions would be highly appreciated.
I think your application should check cookies for the token first, if it is not there, then check the request Authorization header.
I am working on Ruby on Rails application. I need to implement Single Sign on / Single Log out (SSO / SLO) using OneLogin.
I used OneLogin-Ruby-Sdk => https://github.com/onelogin/onelogin-ruby-sdk to log user via session token API. It creates a cookie in browser and allows me to login on other apps. But when I logout using log_a_user_out Api. It only logs out of current application but not from all applications. So SLO is not working in this case.
Thereafter, I integrated devise_saml_authenticatable => https://github.com/apokalipto/devise_saml_authenticatable. It works with SSO / SLO perfectly. But it redirects to oneLogin UI to generate SAMLRequest and send back SAMLResponse.
Is there a way I can generate SAMLRequest and SAMLResponse programatically ?
Just like we do for OAuth2 where we can generate access token using refresh token again and again.
Basically I want users to signup and login through my app forms and communicate with OneLogin and implement SSO / SLO using API rather than going to oneLogin UI.
Please let me know if more information is required in terms of code which could help in providing answer. I will be more than glad to do so. Any help is hugely appreciated.
I'm trying to learn how to utilize auth0 to handle user authentication for an api I am currently creating.
My api has two endpoints:
Login endpoint: /api/login
Request access token endpoint: /api/auth?code={code}
Here the authentication flow is:
User goes to the login endpoint of my api.
User is redirected to auth0 ui.
User inputs their login credentials.
Auth0 redirects back to /api/auth where a request for an access_token is made using the login code.
Firstly, is my understanding the Oauth authentication flow correct? If so, how best should my api handle the initial login redirect to auth0?
Because at the moment when I hit up /api/login from the front-end ui it just returns the html of the login page at auth0. Should I instead return a 302 with the redirect url or is it possible to create an endpoint where the user inputs the username & password via my api and avoids the redirect?
---update---
After a user has authenticated via auth0 they receive a access_token and id_token which should my api use to verify the user is who they say they are?
Not sure if my understanding is correct but I belive that my frontend ui is the OAuth client application and my API service is an OAuth resource server. As such does my api need to call out to auth0 /userinfo to verify the user?
Assuming you are trying to protect an end-user application (your question wasn't clear on that), my understanding is if you are using Auth0, you likely won't need an /api/login and api/auth API. If you are using Auth0 you can get those things during your authentication via Auth0.
I would say your APPLICATION (not API) would redirect the user to the Auth0 login endpoint. You would do that by incorporating the Auth0 SDK of choice, depending on what you're building. For example, if you're building a web app, you may choose to incorporate auth0.js and call webAuth.authorize() to trigger the login. During that login, if you have configured an API within Auth0, and you provide the proper Scope and Audience during your login, your response will return an API token.
Then your user is in a state on the client side where you are logged in, and you have a token. You can then provide that token to your API, and your API can validate that token as needed. Auth0 also has various libraries for token validation (like this spring security one, for example).
Lastly, the question on which oAuth flow to use, that also depends on what type of app you're protecting. There are again Auth0 docs to help. The flow depends on if you're building a server-side web app, a SPA, a native app, etc. Your question was a little confusing, and it sounded a bit like you are building an API and want to protect that. If there is no client-side app (only machine-to-machine API calls), then you wouldn't be dealing with HTML and login pages. You'd likely be getting into the Client Credentials flow, which last I checked was only included for Enterprise Auth0 users.
I'm trying to build a application based on RESTful API and I'd like to provide a method for authentication both JWT and 0auth (JWT for user access and 0auth for app access).
In short I'd like to do:
User Access (Web App, Mobile App - JWT)
------------------------> /
-----------------------> /api/login
-----------------------> /api/logout
Client's app (API KEY - 0auth)
------------------------> /services/getInfo
/services/getProducts
A user can use the web application and could wish to integrate some functionality of its app with my services, like Facebook, Github and so on..
I ain't sure about this approach because it's the first time I design a big application.
The questions are as follows:
Should I also use JWT for authentication by app?
Using JWT, can I trace how many request the apps do?
Can I revoke a JWT token?
Is 0auth protocol better than JWT for authentication by app?
Oauth 2.0 is an authorization protocol and it shouldn't be used for authentication. Consider using Openid Connect for your scenario. It works on top of oauth so the flow would be identical with some improvisations for authentication.
In this case, you can register your application to use the same protocol for both end users as well as for calls within your applications.
Please explore client credentials flow for app access and implicit/hybrid flow for Web App.
Openid connect uses jwt tokens for authentication and authorization.
Identity server 3 is a certified implementation of Openid connect. Their documentation is good and they have an active support forum to help you with queries.
Please Refer :
https://www.safaribooksonline.com/library/view/identity-and-data/9781491937006/ch04.html
https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/
https://github.com/IdentityServer/IdentityServer3
https://github.com/IdentityServer/IdentityServer3.Samples
I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.