Can Oauth2 be used for authorization and authentication?
As I understand it, Oauth2 authorizes a consumer application to access user information from providers (e.g. Facebook, Google, Twitter, etc).
But can Oauth2 be used to authenticate a user? For example, suppose we have an app comprised of native mobile frontends and a backend api - can Oauth2 be used to valid and maintain authentication on top of the authorization from providers like Facebook, Google, Twitter, etc?
If yes, how? For example, do we persistent the auth token and use it as a session token? Or is OpenId Connect required for authenticating users to a "consumer" app via third-party providers?
OAuth 2.0 in its spec-compliant form cannot be used for user authentication. Having said that, one can develop an extension to OAuth 2.0 that would allow for user authentication. Some providers, e.g. Facebook, have done just that.
But there is also a standardized extension of OAuth 2.0 that allows for user authentication, called OpenID Connect. OpenID Connect is required indeed if you want to authenticate users to a consumer app via 3rd party providers in a standardized way. The token format of OpenID Connect is a JWT and the token itself is called id_token. You may use an id_token as a session token.
For an extensive article on OAuth 2.0 and user authentication see http://oauth.net/articles/authentication/
Related
I have the MultiTenant web application that internally using different services and Restapi Service and login purpose username and password validation using WSO2IS and LDAP.LDAP is configured with WSO2IS UserStore.So when customer login into web application right now implemented like checking username and password is present in LDAP directory or not. Based on the LDAP directory response logging into the application.
Now I want to implement token-based authentication when client login into the application by using he/she tenant user credential, get the token from WSO2IS server, send token at the client side. So that while calling any service or RestApi call with using that token. If after time limit if it expire than regenerate the token And when the request to any service and Rest API validate token is valid or not. So if the valid token then only backend service send response otherwise send failure response.
I am stuck in the correct approach. I need exact approach for successfully implement authorization identity management service with WSO2 to handle access token for user validation and to validate Rest Service.
You can use OpenID Connect (OIDC) [1] in order to achieve your requirement.
OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
You can use WSO2 IS and integrate your client application with OIDC [2][3] and get an access token on behalf of the user to communicate with external APIs.
Also you can use the OAuth Introspection endpoint [4] of the WSO2 IS in order to validate the access tokens as for your requirements.
[1] https://openid.net/connect
[2] https://docs.wso2.com/display/IS570/OpenID+Connect
[3] https://docs.wso2.com/display/IS570/OpenID+Connect+Authentication
[4] https://docs.wso2.com/display/IS570/Invoke+the+OAuth+Introspection+Endpoint
I try to develop custom workplace widget for sharepoint. But, in documentation, I does not find how to authenticate users! Only with app access_token or impersonate_token, which is not secure...
Here's an endpoint for generate bearer access_token via sso? Or SAML assertion?
No, you can communicate with Workplace via API only using access_token.
I have a Django application that currently stores user credentials and performs authorization and authentication. I am in the process of breaking off the front-end into an Angular SPA and converting the backend to a REST API. My Django API will live as an Azure API app protected by Azure API Gateway. I would like to remove the authentication piece from Django and allow users to sign in using OpenID Connect through either Google or Microsoft Account. What I would like to happen is this:
When a user visits the site, assuming they have never registered with my app, they will have the option to sign in with their Google account or Microsoft Account. If the user decides to sign in using their Google or Microsoft account, (this is where I'm confused and why i'm posting here ... ) I think what happens is the API Gateway performs the authentication, generates a JSON Web Token (JWT), and sends that token back to the Django API. Django receives the JWT, decrypts it, and checks to see if there is a user account matching the email address in the JWT. If there is not a user account, Django will add a user to the user accounts table (not storing a password). If there is a user matching that email address, then Django allows the user in.
All that said, I guess my question(s) are:
Should I do the authentication at the API Management Gateway or should I do it at the Azure Web API?
Can I use Django's built-in authentication system to do what I want or is that not needed?
Am I over-complicating all of this? Is there an easier way to do this? All this seems like a lot of work.
Is OpenID Connect what I should be using (instead of Oauth2)? I have no experience with either.
Azure API Management does not actually provide any kind of JWT issuing mechanism, so you'll have to implement that yourself. The end points for doing that may or may not be exposed via API management.
What possibly gets you confused is the fact that the APIm Portal supports various indentity providers, like Twitter or Google, to sign up for the API. But these are not your application users, these are for the API Portal Users.
What you can do with the APIm Gateway is to validate subsequent calls to your backend API that the supplied JWT token is valid (using the <validate-jwt> policy).
I am doing some work in Django, using the Django Rest Framework.
Users login via Oauth2 to facilitate integration with mobile applications.
I am using the Oauth2 authentication library that is packaged together with the Django Rest Framework.
To logout a user, I am expiring their access tokens, is this the correct way of doing things?
It's not correct. Normally, the access token expires when it reaches its expiration time.
Or in some these cases:
1. User revoke this access token.
2. Users change their password.
3. When refresh token is revoked, its issued access tokens will be deleted.
And here is a reference about log out.
I think what you mean is that you are creating a oauth2 provider?
If I am correct I would recommend switching to using token authentication. To create a oauth2 provider there are many restrictions and rules to follow and I assume when you create a oauth2 provider that it will be a public system that can be used by many people (that can and will misuse your service if it's has leaks)
I've already succesfully implemented LinkedIn and Twitter Oauth 2.0 authorization in my App with external libraries. But I have problems with Facebook. It seems like it has different authorization flow.
I need to have 3 endpoints to implement OAuth: request token url, access token url and authorize token url.
For LinkedIn and Twitter I have them:
REQ_TOKEN_URL="https://api.linkedin.com/uas/oauth/requestToken";
ACCESS_TOKEN_URL="https://api.linkedin.com/uas/oauth/accessToken";
AUTHORIZE_TOKEN_URL="https://api.linkedin.com/uas/oauth/authorize";
REQ_TOKEN_URL="https://api.twitter.com/oauth/request_token";
ACCESS_TOKEN_URL="https://api.twitter.com/oauth/access_token";
AUTHORIZE_TOKEN_URL="https://api.twitter.com/oauth/authorize";
But for Facebook instead of request token I have
OAUTH_FACEBOOK_DIALOG = "https://www.facebook.com/dialog/oauth";
And I'm not sure if it's equal. Probably not, since it doen's work the way it did with LinedIn and Twitter.
And in Facebook documentation they suggest to start with redirecting user to "https://www.facebook.com/dialog/oauth", but in classical OAuth 2.0 first I have to request the token from request_token_URL.
So the question is: is Facebook authorization flow actually not OAuth 2.0 and I have to use different approach?
Facebook does in fact fully support OAuth 2.0. Twitter currently does not support OAuth 2.0. LinkedIn OAuth 2.0 support I believe is still in beta. But yes, you will need to use a different approach for different versions of OAuth.