Authentication Strategy using Torii for Ember CLI 'static' apps - ember.js

Just to clarify my understanding of what Torii provides for client side static apps:
OAuth 2.0's Implicit Grant workflow is the only OAuth workflow which works in client side static apps.
Torii only supports this via torii/providers/oauth2-bearer, which returns tokens not codes.
If 1. and 2. are true, then I suppose all client side static apps which use Torii would only use the oauth2-bearer approach. The rest of the providers in Torii, like stripe-connect etc. which are code workflow based would need server support to get an AccessToken based on the code.
Is this right?
Thanks in advance.

Some of the concepts in Torii can be a little confusing to understand. Because it's so flexible, the answer to most questions is "it depends".
Your understanding is basically correct:
Yes, the only useful OAuth workflow which does not require a server with a shared secret is Implicit Grant.
Yes, the bearer provider does not require you to run a server. Neither does the facebook-connect provider, or any custom provider which uses the same approach.
Serverless apps using Torii cannot use an Authorization Code workflow, and would need an authentication mechanism which returns an access token. This is likely to be using the oauth2-bearer provider, but you could use facebook-connect or any other similar approach.

Related

EmberJS: When should I use the Torii vs Ember-Simple-Auth?

I'm trying to learn authentication for a web app that I'm writing. All I want is a login and password, and to make sure the user can't write/edit each others posts unless they are logged in.
I'm not sure I fully understand it. But it seems that Torii is better if you need to do Facebook or Google authentication, whereas simple-auth is better for just logging in. Is that correct? Is there other things Torii can do that Simple-Auth can't? Are there things that Simple-Auth can do that Torii can't?
Actually, as you can read in this link, it makes sense to use both together:
Simple Auth is more about maintaining session/session events, providing a framework for authenticating a strategy, and authorizing requests. Torii is more about interfacing with these external authentications. So, it’s not as though Simple Auth and Torii could not exist side by side.

Multiple auth providers at the same time using ember-simple-auth

Is it possible to use ember-simple-auth with multiple auth providers at the same time? For example, in my website I want to call few google analytic APIs using google's JWT auth token and other APIs using custom oauth2 token.
You can have few authenticators, but use only one authenticator at the time. It's mentioned in docs. So the answer is no. It's because you have only one session service, which holds authentication status. And I don't see a way of solving this without heavily modifying ember-simple-auth.

Wirecloud authentication using keystone only?

The instructions for providing FIWARE based authentication for Wirecloud suggest installing KeyRock (a frontend/backend combo of the Horizon/Keystone GE). Is the frontend (Horizon) really necessary if the only application to be secured is a Wirecloud instance (and possibly some backend services). The point is to avoid, if possible, to have to configure/style/maintain etc. a second frontend. Is it possible to authenticate directly using a Django plugin like this? Pros and cons?
WireCloud is currently linked to the use of django.contrib.auth, any authentication plugin based on it should work. Moreover, the instructions for using KeyRock are using python-social-auth so, in fact, you can use it for authenticating using any of the backends supported by python-social-auth: GitHub, Twitter, OpenId, ...
In that regard, I don't see any problem in the use of the plugin you are proposing (Although I have not tested it).
The advantage of using the KeyRock backend provided by WireCloud is that it enables operators and widgets to propagate the credentials to third-party services using KeyRock for authentication (e.g. Orion Context Broker, Object Storage, ... and in general, any service behind a PEP proxy).

ember-simple-auth multiple authenticator architecture

I am trying to implement multiple login options in my ember-cli site (so you can authenticate via facebook, google, or my own oauth2 server). However, I'm a little at a loss as to the right way to accomplish this. As far as my research goes, I can see that there are multiple ways to do this using ember-simple-auth.
The first option is to simply use ember-simple-auth-oauth2, and create authenticators that extend that for each login method. This is a combination of the Authenticated Account and Multiple External Providers examples provided by ember-simple-auth. Obviously, this would mean writing all my authenticators myself including the ones for facebook/google.
The second option I see is to use ember-simple-auth-torii to authenticate each of my login methods, as in the Torii example provided by ember-simple-auth. However, I simply cannot find a good oauth2 example to help me create a provider for my custom oauth2 server. If anyone could help me out with this by showing me how to add a custom oauth2 provider to ember-simple-auth-torii, I would appreciate it.
Finally, the last option (that I can see) is a combination of the two above - Using ember-simple-auth-torii authenticators for google/facebook, and a ember-simple-auth-oauth2 authenticator for my own server. Obviously, I don't really want to rely on 2 separate ember-simple-auth packages, but if I have to I can (I'm assuming doing this would work?).
If anyone could pipe in on these methods or suggest a new one to allow me to do oauth2 authentication via facebook, google, and a custom server, I'd appreciate it.
Using both packages is the way to go. The Ember Simple Auth packages are built so that you always include the base package (ember-simple-auth) plus any additional packages for authentication strategies etc. that you want to use. If you e.g. want to use the OAuth 2.0 package to authenticate against your own server plus the torii package to authenticate against Facebook, Google+ etc. then you simply include both packages. There will also be no duplicate code that you're requiring as the common functionality is in the ember-simple-auth package and the ember-simple-auth-oauth2 as well as the ember-simple-auth-torii packages only include the code that's specific to the respective authentication strategy.

SAML with Django authentication

I'm using Django and nginx hosted on AWS. I'm trying to integrate with a university for SAML authentication, using their idp. There are plenty of outdated answers on SO, but is there anything more relevant with current standards?
Many of the apps i've seen are for django 1.2 and lower. Specifically i'm looking for resources that would allow me to more easily manage the SAML authentication through some middleware or anything else.
Some of the things I have seen are:
https://github.com/unomena/django-saml2-idp
https://github.com/WiserTogether/django-saml2-sp
The project I found is below:
https://bitbucket.org/lgs/djangosaml2/overview
The project uses psaml2 for SAML support. Pysaml2 can be found here:
https://github.com/rohe/pysaml2
Bear in mind that djangosaml2 may not use the latest version of pysaml2. I tested it and its working fine.
UPDATE
djangosaml2 works with latest version of pysaml2, but make sure to add this line to make it work:
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
This should be in your settings.py.
SAML is two sides:
IDP -> Identity Provider side -> i.e. the university
SP -> Service Provider -> i.e. your application
Sounds like this one is what you want: https://github.com/WiserTogether/django-saml2-sp.
You have to take into account that SAML as a standard is complex, so you might find issues getting the library talk to the SAML implementation in the university. You will also have to get from them the identity provider cert public key and ask them to add your application on their side with a specific entity id. And when you start managing a couple of them it gets complex.
You might also want to check out something like Auth0 to handle all those SAML connections. There is a very simple python sample https://gist.github.com/woloski/8149412
Hi I just created a django saml2 authentication plugin.
https://github.com/fangli/django-saml2-auth
It's quite easy to integrate with your SAML2 provider, hope you enjoy.
This library is actively maintained: https://github.com/onelogin/python3-saml/tree/master/demo-django