We are developing a suite of ServiceStack based sites and would like to share user credentials between them.
From reading around, I THINK what we need, is for one of the sites to act as an OpenID Identity server, with both it and the other sites logging into its OpenID realm (Excuse me if the lingo is incorrect!).
I understand that ServiceStack, with DotNetOpenAuth, can authenticate against custom OpenID realms, and it seems that DotNetOpenAuth can also act as an OpenID provider, which could be what we need, but I haven't yet found any examples of how to put the two together.
Am I on the right track, and if so, does anyone have an example of this?
Many thanks.
Update:
Further reading suggests IdentityServer3 could be the solution, but I suspect hosted outside of ServiceStack?
Related
So I was trying to do a POC on SSO using gbraad/passport-saml-example which is not working as apparently IDp for the app stopped providing. Being a newbie in this, I have so many question, it be awesome if someone can help me answering them.
1. Is something wrong in the code?
2. If nothing is wrong, how do I test it? I mean, is there another IDp we can try
3. How can we use saml2-js? Is there any working copy I can refer to?
What you want is there https://idp.testshib.org/idp/Authn/UserPassword but as you see, the service provider is not specified, cause that link doesn't get called with a redirect binding from a trusted SAML Service Provider.
1.) not sure, I am looking for a SAMLv2 service provider solution myself (as an alternative to working Shibboleth SP I have set up) and came across this question.
2.) I did notice when looking at the repository you mentioned that it's using a different Identity Provider than the one I tested my Shibboleth Service provider on. So, if you need a working Identity Provider, look here. http://www.testshib.org/test.html That is maintained by the people who maintain Shibboleth I believe.
3.) I am going to dive into the saml2-js with what I know about Service Providers and see if I can get it going.
My main objective for not using the Shibboleth modules for Apache or IIS is, I don't know how to get hold of the attributes without scraping. Hoping the express solution will be easier to understand and stand up quickly, while meeting other important requirements.
At the moment we are building a web shop as a SPA application. All the SKU information is provided by a Web Api 2 service.
Of course the web shop is publicly available to every visitor, and currently there is only one user who can log in to manage the web shop: the administrator.
For the administrator we built in the basic authentication with the bearer token, as a lot of samples on the internet shows us, but now we need every user to log in before they can see any product. Not really what we have in mind for a web shop ;-)
What we would like to implement is that our Web Api is not available to the world but only for our SPA application. Every blog post or tutorial on authorization seems to assume that there is always a user that needs to log in, in our case there is only one user: the administrator.
The AllowAnonymous attribute makes specific API calls available to the world again, so that's also a dead end.
Basically it comes down to preventing any other apps (web or mobile) to fetch the data from our Web Api.
What would be the best and most secure approach to secure our Web Api without having the anonymous visitors of our web shop to log in?
Solution for now: Altough I'm not 100% happy with this solution, it will work for now. We implemented the OAuth Implicit flow with CORS enabled for specific domain.
You should take a look at the OAuth 2.0 client credentials flow. The client in OAuth speak is the application and not the user using the application. This way you can make sure only your SPA app can access the backend API.
The parts that only should allow access to the administrator, you can decorate with the [Authorize(roles = administrator)] attribute, which prevents any other roles from having access.
I think Json Web Token could help you with this. This article has more information about using Json Web Token for granular authorization of your web api.
OAuth 2.0 is inherently insecure, and solely relies upon SSL. It has no encryption, and most of the latest web api gurus are suggesting that it's dead. This again is relative to what you need the security for. If it's for a social SPA where the data isn't financial or medical, for example, and good enough SSL security is ok, then perhaps OpenID or OAuth2 is suitable.
A much better solution is to implement Identity 2.0 for the Web API authentication flow, and then utilize something like Hawk Protocol for HTTP MAC implementation. Check this out : https://github.com/webapibook/hawknet for an example.
For OAuth2 framework and a extensible solution, check out Thinktecture.IdentityServer3 on GitHub
For a lightweight .net 4.5 Web API Tokenization solution, check out Thinktecture.IdentityServer2 on GitHub.
Hope it helps.
I am completely new to ADFS. I need to access the ADFS server through node.js. I am searching for good reference notes, with implementation. And suggest me which protocol is best for requesting. Video tutorials are also heplful.
I assume what you want is to authenticate users in AD (via ADFS), for your nodejs based web app. I'd recommend looking first at passport.js.
ADFS supports 2 protocols for web sites: WS-Federation or SAML-P. WS-Fed might be simpler. We open sourced the strategy for WS-Fed and SAML that we use in our product. A strategy is essentially a plug-in for passport.
That strategy should give you a good start.
ADFS v3.0 exposes OAuth2. *
You could use Passport.js with OAuth support or Kong with OAuth support.
You could go the ADFS 2016 OpenId Connect route for ease of implementation (passport.js, only a feature request for kong).
If you're going the Azure route, there's one (passport-azure-ad by the Windows Azure team) specifically for that.
It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.
Otherwise, versions disallowing etc., I recommend Eugenio Pace's answer.
Then, check these, is a complete solution (not a video tut)
Using Active Directory Federation Services to Authenticate / Authorize Node.js Apps in Windows Azure
http://seroter.wordpress.com/2013/04/22/using-active-directory-federation-services-to-authenticate-authorize-node-js-apps-in-windows-azure/
pretty fresh tut. (2013/04/22)
Google provides a bunch of apps like Plus, Gmail, Docs, Reader, etc. Internally, these apps can talk to each other securely somehow to query information/data. I am wondering conceptually how Google implements this secured authentication and authorization among their apps internally. Does anyone know about this?
As I think all these apps working on separate sockets, by that mean all the applications working separately as well as security can be implemented there also.
.
Not pretty much assure about my answer, correct me if I'm wrong
Application-to-application authentication for end users is implemented via OAuth 2.0 service accounts. It is likely that the mechanism is reused internally as it fits the needs.
Are there any open source centralized authorization services available? There are lots of solutions for centralizing the authentication information (eg: CAS and JOSSO), but what about the authorization information?
There are some really good authorization frameworks (eg: Spring Security (formerly Acegi) and Seam Security), but it seems that I have to composite these into individual tiers or services. In other words, I can't run them standalone very easily. With a SOA, it seems like it would be very valuable to centralize not just the authentication but the authorization information as well (ie: roles, permissions, rules, etc.).
Any suggestions?
Are you looking for something that supports XACML? If so, the closest to open source you can get is the OpenSSO project which has portions of what you seek.
The openly available Kerberos implementations provide Client Service Authorization as well as Client Authentication.
Read about Using Kerberos 5 on Red Hat Linux.
Hum, maybe you can use a SSO solution and create a service which returns all the authorization information (roles, permissions, rules, etc) and make each application use this service to get each authenticated user authorization information.