sorry for my poor english...
I 'll do my best to write question.
Basically, keycloak provide loginPage where login form has a some name and value parameter determined by keycloak (forexample session_code, excustion, client_id, tab_id).
this way is Server side randering(SSR).
However, I want to login process with keycloak in API way. In this case, it's not possible to use those parameter.
How to use apis below to login?
enter code here:8180/auth/realms/{realm}/login-action/authenticate
enter code here:8180/auth/realms/{realm}/protocol/openid-connect/certs
enter code here:8180/auth/realms/{realm}/protocol/openid-connect/token
It's not a good practice from the security point of view to host your login page somewhere else. It would be better to allow Keycloak to have control over the login process so that the integrity of the overall process would be kept. But in case you really need to do that, you can have your own UI hosted somewhere else and send the credentials you received from the user to the Keycloak via OAuth password grant type. It's not recommended and is going to be deprecated. I suggest you to check the recommended approaches mentioned here.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
i am working on a java/j2ee based web application where i have one module called leave management in which when the employee request for the leave the manager approves or reject leave by log in to the application,Here log in into the application creates an extra overhead for the user , so i am trying to implement a feature where the manager can approve or reject the from his/her mail itself as mail is sent to the manager every time the employee request for leave based on the parameters in the url in the link like this
without log in to the application
https://my.xyz.com//LEAVE#LeaveReq#123#1545#State
So my question is
Is it possible to achieve this without log in to the application and saving values to the database and without breaching the security.
2.If yes, how can i implement this?
Yes you could. Just pass in some other parameters like say we call it token which would contain a "random" string which is currently in your database.
Each request that doesn't require authentication should also pass in this token. You check the token in your database if it is there then do the request, if not, you know what to do. If a token is consumed, you could either delete it from your DB (meaning each token is one-time use only).
EDIT: Regarding whether the correct manager approves/reject, well that's difficult without something like authentication to identity the manager.
We just rely on the fact that that URL can only be used once, and that it can only be seen on the email of the appropriate person.
is it possible? Certainly.
Is it desirable? Maybe not. What prevents someone else from sending that confirmation email? You need to find a way to secure it all.
How to do it? A REST webservice comes to mind, with the manager just clicking a link in that automatically generated email which launches a webservice request.
Or you set up a system where the server can receive emails, and the manager can then just forward the leave request to either of 2 email addresses.
There should be at least single authentication like a pin code or password before manager approve or disapprove the leave. Don't think about overhead, for such circumstances security is equally important.
Is it possible to achieve this without log in to the application and
saving values to the database and without breaching the security.
When the manager gets an email & he clicks on the approve. Ideally a request is fired from manager's system carrying an authentication token or something like a remember me token. In this case the application won't prompt the manager to login. It will tally the request token with token stored in the db & would let manager in.
Check how remember me works in web applications. You can create a remember me token for manager for an indefinite amount of time. This way the app will never prompt the manager for a login. But there is a caveat, this approach is a little vulnerable for attack. If there is a man in middle attack the hacker will get hold of the manager's client side cookies & would always login with ease. The auth token should be changed periodically. You can always implement remember me, it just depends on what level of security you require.
Bottom line: Yes it is possible, generate a remember me token which will always be included in the manager's email request for approving employee's leave request. Just follow the best practices to implement a remember me token.
Another way is
If your application is implementing security using filters. You can bypass the request for leave approval. Just put a secure none attribute for that particular request in ant style say "yourapp/approval" resource. Now the server side code would let all the requests in this pattern pass without security check. But this approach is a strict No No. If this happens a hacker which intercepts the leave request from the employee's browser can approve his leave by himself. No need of manager's authentication.
If yes, how can i implement this?
Implementing remember-me for a website
You can also integrate Spring Security with your code. It's hell of a framework, one stop solution for all the security related features which your app would require. You don't have to write the login for implementing auth token & stuff from scratch.
Is it possible? Certainly.
Is it desirable? Yes
Use a one time hash(sha1 hash may be) in the link to approve and after approving the email, send an email to the person who approved the email saying that "He/She has approved a leave for this particular person"
So the manager/authorizer is aware about it.
How password rest with an email link works could be a good analogy.
I think login is not critical for this scenario assuming that cancelling a approved leave is not that critical.(It happens usually in many companies)
I am trying to write an external Java application that collects posts from Yammer using its REST API and I am experiencing issues with the authentication part.
To extract the data I want a regular yammer user (I do not have admin permissions) to be authenticated automatically from the Java application without any prompts. Does anyone know whether this is feasible and moreover - whether it is feasible in a SSO-enabled network? If yes, what kind of authentication libraries should I use? Is there some documentation/sample code snippet describing how to log in to Yammer via Java and not via a Yammer app?
I've seen that there are similar questions here, but are still unanswered.
I will appreciate any know-how on the topic!
Thanks!
The only way to authenticate to yammer without any prompt is to pass a persistent oauth token as an authorization bearer token in your request header. The caveat is, users cannot be dynamic.
It is pretty simple to generate the access token. For that you need client Id and client Secret.Steps are available in https://developer.yammer.com/v1.0/docs/test-token.
But if you don't have that information, go to https://developer.yammer.com and log on with the credentials and try some Rest API(Try It Out section) in the developer site. Copy the Authorization code from the Request Headers and you can use it in your application.
Note: Access Tokens for users are long lived, expiring when users are suspended, change their Yammer password (non-SSO networks only), or users manually revoke them
I know that CAS is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password.
So, How can i use Jasig CAS server for android mobile applications ? some guidelines would be very useful!
Actually there exist two ways of doing this, each of them has some drawbacks.
1) Expose the REST interface (here you'll find a simple JAVA client that consumes them and a iOS sample how to use it on a mobile)
The problem here is that if somebody downloads your application from the store and checks the network traffic in it (or simply decomposes it) he'll find the calls you make. With this he could create an APP that does the same as you do, and log the passwords entered by the users (like a man-in-the-middle attack)
2) Open the real website in a web view inside your APP
You'll need to create a modle login page, or a responsive one on your CAS server so that it looks nice. Obviously even here somebody could theoretically copy your APP and the Website on your CAS fake both to look like your APP grab the username and password and send it in background to your CAS to give to the user the impression that everything went right but it is much more complex.
However even here u'll need to tweak the CAS; CAS is designed to accept a login for a service to which it would redirect after successful login. Therefore in this case you'll need to add a fake service to the CAS configuration and check if the webview will redirect to it. when that happens u'll find the TGT in the CASTGC cookie.
In our first APPs we used the REST version, but then as we use our CAS for websites too we wanted to restrict the REST access only to other servers in the facility, so we came up with the second solution which seems to fit better, but overall CAS seems not to be prepared for mobile APPs
You can set up CAS in order to expose REST service, this allow to validate credentials.
Documentation: https://wiki.jasig.org/display/casum/restful+api
This is related to OpenId authentication.
I have implemented the google and yahoo openId auth with java in struts2
but it is achieved through page redirection to openId provider auth page and then back to my own success web-page.
But what i wanted was same as facebook auth. were in json object is passed from fb and fb authentication is done in a pop-up. so that redirection can be avoided.
Plz help me out.
I have somewhat implemented which is mentioned in this post part1-part4: http://javadeveloperjournal.blogspot.in/2011/08/integrating-openid-into-my-struts-2-app.html
First, i will not suggest to use OpenID for Facebook and Facebook do not provides its own implementation for the OpenID but rely on certain third party implimentations.
Best way to go with OAuth which is quite similar to what OpenID is with only differences in the level of security and authentication.
While Constructing a URL to the OAuth Dialog, you can specify a parameter namely display indicating if you want a page redirect or pop-up, by default the value of this parameter is set to page
Please go through Facebook documentation for implementing OAuth
oauth using Facebook
That redirection is an mandatory part of the OpenID specification. Anyhow to authenticate users in that manner, whoever the OpenID Provider should support it. But facebook does't as far as I know. Use Oauth, facebook supports it and it is an open standard, so it is always better to go with open standards.
Well as the other answers have indicated, that passing you to the OpenID provider to login is part of the specification. Also in agreement with Umesh above, Facebook provides Facebook Connect, which isn't OpenId, but allows you to authenticate users using this method.
See: Is Facebook an OpenID provider?
What I do want to add however is clarification that you don't just run off and create an OAuth based authentication system because OpenID isn't what you want to use. OAuth provides you with more than just login authentication, there's more power in there - which strangely users are unaware of. OpenId passes along your credentials and OAuth passes along access to your data. So with OpenId the website can authenticate me, with OAuth the website can authenticate me and possibly have access to all my email or my documents in Google Drive. The good thing is that you the user has to explicitly allow this access.
But erring on the side of privacy you'd want to build a compelling case for an application that needs the power of OAuth. Like the picture in the article below, one's the different between asking for a notarized letter to prove your identity, and asking for a valet key to prove your identity.
A valet is OAuth, I need them to take my car and park it in the parking lot, so I give them a valet key. It can't open the glove compartment or the trunk, but they can open the driver's side door and start the ignition - which is all I need them to do, and no more. However I don't give the cashier at the grocery my valet key when I'm paying with a personal check, she just needs to see a photo ID, any gov't issued ID will work. Technically my valet key which will allow her to open my car and read my VIN and possibly authenticate it against a DMV database should also work, but that's probably overkill.
There are good uses for OpenId, OAuth and Federated logins, but as developers we need to understand when and where we should use each of them.
http://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth