My problem is that I want to configure Openam so that it returns a JWT-token when I use The simplest user name / password authentication. By default, it returns tokenId. But in my case, I need only JWT-token. I am using this endpoint for authentication: http://openam-01.domain.com:8080/openam/json/authenticate.
Thx!
OpenAM only issues a JWT when you are using 'stateless' / client based SSO session. If you need a standardised JWT, then you need to configure OpenAM as OIDC provider.
You can configure OpenAM Security Token Service (STS) to exchange OpenAM authentication token to JWT.
Related
Can OAuth be used for authentication (grand type - password flow) ??
I'm currently building a web application (microservices-based), and I want to implement OAuth for the authentication end-user, I choose to implement OAuth password flow, store the access token (JWT) in cookies, and validate that JWT token in the middleware.
After I do some research I found that OAuth is just for authorization, not authentication, is it correct? and how do I apply authentication with OAuth?
is the implementation of the OAuth password flow is not correct for my case?
You first authenticate (with user-password input or with 3rd party apps like Google Login). Then, later on you can use OAuth wherever needed.
Context:
1 spa
1 api
1 existing passport strategy with jwt
Feature:
Connect additional account with oauth to the existing account
I already have an authentification using passport on nodejs.
This generates a jwt allowing the users to authenticate them with a bearer token in the header of each request to the api.
I would like to add an additional oauth connection to the existing account (actually it is docusign but I think the problem could be the same with other connections).
When there is the redirection with the authorization code, I cannot identify the user which has initiated the connection because I don't have the bearer token in the request header anymore and the data between the two accounts can be different (different emails for example).
Is there a workaround for this or did I miss something?
Thank you for your help
Passport has an Authorize method which can be used to authenticate with a secondary IdP. For example:
Use Passport#Login to enable the user to login to your application's primary IdP
Use Passport#Authorize to enable the user to authenticate with a secondary IdP (such as DocuSign) as needed.
Regarding state for your redirect method (determining which IdP should be used to exchange the authorization code for an access token):
You can use the state parameter that is sent as part of the OAuth authorization code grant flow. But be sure to also use the parameter as a random nonce to guard against a CSRF attack. Eg, send idp1|random_nonce so you can both check the nonce and know that you should communicate with idp1, not idp2.
You can use your application's session machinery to maintain your app's state knowledge of which IdP you're working with at the time.
The only one I can think of is having 2 apps. Each can run on a different port or vd. Each would have their own passport strategy. The two apps can redirect to eachother and/or communicate using API endpoints to pass data between them.
I am currently looking to create a private web app with separate front-end and back-end on AWS using nodejs without signup and 3rd part logins, so generated user and passwords. I have looked over a few post, seems Oauth2 only provide more security when I am allowing 3rd party login or services, because it is a authorization framework. so I have a few questions:
In my case, I don't think authenticate oauth2 token is anymore secure than authenticate hash password. So I don't need oauth2 am I correct ?
Other than SSL on transfer and then use session-token after user login, what other ways I can make the backend API more secure ?
Please provide links or examples(best with nodejs )
Thanks,
I read articles on choosing the right authentication mechanism and I understand that JWT just defines a token while OAuth is a full framework that can use JWT. There are also other frameworks (Firebase?) and token-standards.
Now for my specific use-case I have a single-page-, microservice app with Angular2 that will run the whole day in the browser without any refreshing, in a rather old B2B environment (2GB ram, IE11). So social logins are not needed and a lightweight solution is preferable. Can you suggest anything?
This questionary could help
Are you using a forms based web or a SPA?
Forms: Use server sessions
SPA: Use authentication tokens (JWT or opaque)
Using authentication tokens, do you want to avoid storing session data at server side?
Yes: Use JWT
It does not matter: Use opaque tokens
The client needs to verify token or extract token claims?
Yes: Use JWT signed with RSA
No: Use JWT with HMAC or opaque tokens
Do you have an API for third party?
Yes: Use OAuth2 or OpenIDConnect issuing authentication tokens after succesful user login
No: Nothing extra
Do you want to manage user passwords?
Yes: Make your own registration and login forms
No: Integrate social logins (they use oauth/OIDC)
In my web application, which happens to be a SPA (Single Page Application), I have OpenID and OAuth2.0 clients for user authentication using third party service. Namely, Google (OpenID), Yahoo (OpenID), Windows Live (OAuth2) and Facebook (OAuth2).
Now, I have setup a token endpoint which exchange user credentials for a bearer token. The goal here is to replace Cookies by an Authorization header set in all requests of the SPA.
For this, I'm using the OAuth2.0 client password authentication strategy with a 'password' grant_type to authenticate the user based on its credentials (oauth2orize + passport-oauth2-client-password).
I am wondering :
How can I keep using the token bearer authentication method for users authentified using a 3rd party service ?
Is there anything in the OAuth2.0 spec which handles this case ?
What is the common practice for this kind of implementation ?