How to use loopback4 application authentication strategy with keycloak or keycloak-connect .
Keycloak provides steps w.r.t express application but would like to use it in loopback4.
Ref : https://www.keycloak.org/docs/latest/securing_apps/#_nodejs_adapter
keycloak-backend npm library provides token verification methods(online and offline) for authentication alone. Offline method requires a public key which can be, in most cases, retrieved from https://{keycloak-domain}/auth/realms/{realm}.
Related
I have a test project based on the .Net 5 ServiceStack mvcidentity sample. For web-based access, the authentication works as expected.
Accessing the API directly from another app for the hello sample works as no authentication is required. However, if I try to connect to one of the API Methods that requires Authentication, I receive an error message that no auth providers are defined.
Based on this sample, what is the correct way to access one of the authentication required methods from an application on another computer, where there would not be a user to login? I presume we would need to add a basic authentication or something similar in the authentication pipeline?
If you're using the mvcidenity project template you're using ASP .NET Core Identity for authentication (as opposed to ServiceStack Auth) which you'll need to use for any authorization, e.g. you can use a IAuthorizationFilter to implement HTTP Basic Auth.
I need to implement an Identity provider service (using node.js) that should be able to.
Get, validate and parse (using private key and cretificate) the authentication request from SP example
If everything is valid, respond with a signed XML response example
Is there a tool in node.js that can handle the IdP side of SAML protocol. i'm familiar with samlify, saml2, passport-saml, and all of them seem to handle the Service provider side of the protocol.
If the packages mentioned here can serve to my needs, could you specify how exactly they handle this.
Any other directions and/or hints may be helpful.
Thanks
This is what my research say about this modules .
Passport-saml - Provider service provider only
Saml2-js - Provide service provider
Samlify - Idp in experimental phase , You can check idp implementation here. https://github.com/tngan/samlify/blob/f2b6a2f8c36dc0ff887d0442c48cd0f2c0a4a778/examples
Node-samlp - IDP which provide saml assertion but user authorization we need to do our own
Saml-idp - It says IDP we can create but again it refer to online IDP
I have used samlify to make my existing node js application as identity provider to third party service provider.
It has many configuration options. Intially it took time to successfully implement.
I am a first-timer in implementing user authentication on a web application. Below are some details for the app:
Its a hyperledger composer angular2 application generated using yo
hyperledger-composer command
Existing set of username and password available
User identities are successfully issued in composer.
Should I use passport-saml strategy as suggested in https://github.com/bergie/passport-saml? Or is there a better option considering Yo generates angular2 app (many angular 1.x examples available for other strategies like passport-local and passport-http)?
What are the details I will need from the existing database if passport-saml is the best option?
I checked Using passport-http on Hyperledger composer REST API, but it doesn't seem to answer (here the user wants to use userID and userSecret).
See here -> https://hyperledger.github.io/composer//integrating/enabling-rest-authentication.html
You can use the COMPOSER_PROVIDERS environment variable - to specify - the Passport strategies that the REST server should use to authenticate clients of the REST API. You choose, the strategy best suited to you - I can't advise if passport-saml is suitable for you, that's your decision :-) . The parameters (example shown for providers.json) are quite similar to the example shown in the docs. Some of the information from the Github repo you posted already has some sample information in the config parameters section.
Here is what I am trying to accomplish -
A native application which is going to be run on a system where I cannot involve the user to login but I want to access web services secured behind AAD using a bearer token. There are two options -
Use a certificate based flow (which I want to avoid for few reasons
specific to my project)
Use the client secret
Issue I am running into:
When I call acquiretokenasync using the Native AAD application's client ID and a client credential built using the AAD web application's (which the native app has permissions to) client secret, I get the following error -
{"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: f52cc954-2674-47ee-9a7b-094451b05c7c\r\nCorrelation ID: 1ba8ac64-cc4a-4ff7-83d6-a333504459d6\r\nTimestamp: 2016-08-20 01:45:08Z"}
So given that the client secret is indeed correct (which I am positive about), what could be the real issue behind this error?
Thanks in advance for your help :)
You can't use the native application client ID and web application client credential (client secret). The native application has no associated secret, only the web application has. Native applications are assumed to run on insecure hosts, such as the desktops and smartphones. Client secrets would become too fragile.
For more information on how to authenticate a native application and access resources, take a look at these articles:
Authentication Scenarios - Native Application to Web API
Developing Native Client Applications
There are two types of application which we can register in Azure Active Directory.
Select Native for client applications that are installed locally on
a device. This setting is used for OAuth public native clients.
Select Web app/API for client applications and resource/API applications that are installed on a secure server. This setting is
used for OAuth confidential web clients and public user-agent-based
clients. The same application can also expose both a client and
resource/API.
Native applications are public clients in OAuth2 parlance. Those apps are meant to run on a device and aren't trusted to maintain a secret - hence, their entry in the directory does not have the corresponding property. Without a secret, there is no way to assert the identity of the app - hence such apps cannot gain app level permissions and the portal UX reflects that. Conversely web apps are, again in OAuth2 parlance, confidential clients. They can get delegated tokens for their users, but they can also use client credentials to get tokens as themselves. Native apps can obtain tokens for the user via the OAuth2 authorization grant.
Refer this article further.
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
Basically, I'll have several clients consuming the API I'm developing:
- clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization"
- clients that I do not trust and that will connect using the Authorization Code flow
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application:
- he will have a direct access to its resources (case of the trusted application)
- he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
UPDATE
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
This project is not functional yet.
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api