I am using authorization code flow with PKCE, and would like to deny access to Authorization Server if the client is using an embedded user agent. I am using IdentityServer 4 for authorization server, and Asp.net core 2.2 for the API, both running on IIS 8.
I have search for solutions on how to deny embedded user agents on native application to access Authorization server, but I cant find any steps on how to implement/configure this. Is there anyone that could provide steps on how to deny access from these kind of applications?
Thanks in advance
Related
I have a nodejs webapp with many users with a custom login process. I would like gitlab to accept that authentication and not force users to create a new app. What is the best way to accomplish this?
I would go for OAuth 2.0 Single Sign On (SSO). Below you can find the architecture diagram taken from here. As you can see the client is redirected to log in in the OAuth2 provider to get a valid token for authentication. The OAuth2 server must be configured for the application requesting access including the secret, the client id and the callback URL.
You can configure GitLab CE to sign in with almost any OAuth2 provider. Only be careful with the limitations:
It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (importing projects or users, etc)
It only supports the Authorization Grant flow (most common for client-server applications, like GitLab)
It is not able to fetch user information from more than one URL
It has not been tested with user information formats other than JSON
You also need to configure your node js web application as an OAuth2 server. There are npm availables with the source code here.
Recommendation
I would install some open source Identity Management to separate the user management from your webapp, provides better integration with other third parties and forget about encryption and other stuff you need to take care in your webapp. There are multiple options such as KeyCloak for instance.
You have to define a dedicated user , and use the private_token of this user to login for ALL users that will use your application.
The restricition would imply all users will have the same rights ....
The other solution is to use the Private Token of the user at login. In this case , only the rights of these particular users will be used.
I've been doing some work with OAUTH 2 in the last few years. I have a few authorization servers and several clients using them.
Anyone who has made an app or some client solution that uses OAUTH2 knows that the client secret can be a problem. One can mitigate this somewhat by using access code grant. There has been talk about using a proxy for the secret.
My question is about the redirect URI - this was meant to protect the Access Code grant process. The Auth server will only return the access code to the redirect that is on file (in the database for that client ID). The issue comes into play with mobile apps. They usually depends on https://127.0.0.1 or https://localhost for a redirect URI. Anyone can get a localhost token, right?
With this being the case, what is stopping someone from impersonating a clientID using the localhost redirect URI? Could I not make a copy-cat app, use the same OAUTH2 sign in flow using the real client ID and if I was able to get a user to login, I now have an OAUTH token to access resource servers with. Am I wrong?
If anyone can shed more light on this, I would be greatly appreciative. I want to learn as much as possible, anything helps.
The attack that you describe is a known weakness when using the Authorization Code grant for native mobile apps. An OAuth 2.0 extension called "Proof Key for Code Exchange" has been developed to mitigate against this threat through the use of a "code verifier" that is dynamically generated and only known by the real Client.
This work was standardized in the IETF as an RFC called Proof Key for Code Exchange by OAuth Public Clients, available at: https://www.rfc-editor.org/rfc/rfc7636
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
Basically, I'll have several clients consuming the API I'm developing:
- clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization"
- clients that I do not trust and that will connect using the Authorization Code flow
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application:
- he will have a direct access to its resources (case of the trusted application)
- he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
UPDATE
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
This project is not functional yet.
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api
I want to configure a WSO2 identity server as security repository for my WSO2 application server. I've read the application server online documentation but I didn't find any reference to this configuration.
Is there any tutorial?
Simple Scenario : I have a Web app configured to use Basic Auth in the web.xml file , and i want to use wso2is as the user store for authentication and authorization.
It is possible to use web service API to integrate with WSO2 Identity Server. WSO2 IS has user-mgt,entitlement APIs.For any user-mgt action and check authorization action, we can call these APIs from any product. Sorry I couldn't find any tutorial describing this.
Hope following blog post may helpful to you at some point, as it is recommend you to have external LDAP user store. It describes how to connect external LDAP with WSO2 Identity Server.
http://blog.facilelogin.com/2009/06/connecting-wso2-identity-server-20-to.html
Do you want to use the Identity Server for authentication?
Or do you just need a user store?
Or do you need a Token-Service to secure the communication between App-Server and Web-Services?
It is not clear what exactly you want to use th Identity server for. In JBoss for example you also can use authentication with an LDAP, thus you wouldn't need the Identity Server.
We have an API for our local search website, which is used on our Mobile Apps.
Currently,
The API is not public
No user data is provided in the API
is running over http
I want to secure our data which is sent over the API. I have done some research, and looks like Oauth is the way to go
Is Oauth the right way to do it? (we'll currently use 2 legged oauth but in future if we need user permission we'll move to 3 legged oauth)
Do we need https for the API? Would a self signed certificate work fine?
Oauth's best suited for scenarios that involve a third party (Provider). For example: sign in with Facebook.
If the user has to login to your service to access the API, you can use basic authentication. (Attach credentials to Http header over Https)
Finally: Yes you need Https. And a self-signed certificate can work if you control the client and the server. For example for Android you can import your certificates):
http://developer.android.com/training/articles/security-ssl.html (Self-signed server certificate section)
However, if you are creating a web client, user would get a warning for untrusted site.