I am looking for building an iOS/Android and Angular app with Java at the backend(REST API). Java will use spring framework. I am looking for the options for User authentication. iOS/Android App will be used by the client and Angular web app will be used my management. Angular web users will have different roles so requirement requires authentication(email and password) as well as authorization. Considering this I was thinking of using Spring Security with a custom UserDetailService. However I guess that will have issues with cookies. I looked into AWS Cognito Identity and Firebase and got more confused. It will be a great help if someone can share there experience with such requirement.
i had created basic login application in angular application by referring the links:
http://jasonwatmore.com/post/2015/03/10/angularjs-user-registration-and-login-example-tutorial
and i have used cakePHP3 for rest API generation and Token is generated on the the basis of JWT, JSON Web Token (JWT) is a JSON-based open standard used for passing claims between two parties in the context of web application environment. These token are specially designed to be very compact and URL safe. Their usability in the context of web browser single sign-on is also remarkable. JWT claims are useful for passing identities’ verification between service providers and identity providers. you'll find the reference links on internet.
for android and IOS you need to learn JSON parsing first. In android, JSON parsing can be done using OKHttpclient/Volley "android hive" is best site to learn jsonParsing and in IOS jsonParsing can be done using AFNetworking.
Hope this will help you.
The Ideal Project for you is Spring Security OAuth2. With this you can make your REST API Stateless and no need to worry about Cookies and Sessions.
Related
TL;DR
Objective: Java authorization server:
OAuth2.0 authorization code grant flow with fine-grained permissions (not a mere SSO server)
User management and authentication: custom database
Client management and authentication: Keycloak
Questions: What are the best practices for implementing a Java authorization server with applicative permissions handling backed on Keycloak?
What Keycloak adapter/API should I use in my development?
How should the users be managed/appear in Keycloak if they are to appear at all?
Forewarning
I am quite the beginner with Keycloak and, though I think I understand the main principles, it seems to be a rich tool and I fear I may still be mistaken about some aspects of the best ways to use it. Please do not hesitate to correct me.
Context
We are looking at implementing an API requiring our users (henceforth "users") to grant permissions to third party applications (henceforth "clients").
Our users are stored in a custom existing database-based user management system. As for our clients, we are thinking of using Keycloak.
The users consent will be given using an OAuth2.0 Authorization code grant flow. They will log in, specify which permissions they grant and which they deny, and the client then retrieves the access token it will use to access the API.
It is my understanding that Keycloak can handle the authorization token but it should not know anything applicative, which our permissions are. As a consequence, I thought of building a custom authorization server which will use Keycloak for all identity/authentication problems but will handle the applicative permissions by itself.
Then, we will use Keycloak for client authentication and authorization code/access token management, and an applicative part will check the permissions.
Problem
Besides my first experimenting, I've been roaming the Internet for a week now and I'm surprised as I thought this would be quite a standard case. Yet I found next-to-nothing, so maybe I'm not searching correctly.
I've found many Spring/Spring Boot tutorials1 on how to make a "simple authorization server". Those are mainly SSO servers though, and few do manage permissions, with the exception of those mentioned in this SO answer2. That I think we can deal with.
The real problem I have, and that none of the tutorials I have found are treating, is the following:
How do I integrate Keycloak in this authorization server?
I've been having a look at the available Java Adapters. They look OK when it comes to authenticate but I did not see hints about how to manage clients from a custom authorization server (ie administer the realm).
I therefore suppose I should use the admin API. Am I correct and is it good practice? I saw no adapter for that, so I suppose I should then use the REST API.
I also wonder how we should integrate our users in design? Should they be duplicated inside Keycloak? In this case, should we use Keycloak's admin API to push the data from the authorization server or is there a better way?
Finally, am I missing some other obvious point?
Sorry for the long message and the many questions, but it all boils down to one question in the end:
What are the best practices when building an authorization server using Keycloak as a backbone?
1. Some examples:
Spring Boot OAuth2 tutorial -
A blog post -
Another blog post
2. I've mainly focused on the sample app provided by Spring Security OAuth
Building Java OAuth2.0 authorization server with Keycloak
This is possible but is bit tricky and there is lot of thing which needs to be customised.
You can derive some motivation from below repo.
keycloak-delegate-authn-consent
Building custom Java OAuth2.0 authorization server with MITREid
If you are open to use other implementations of Oauth and OIDC,I can suggest you MITREid which is referrence implementation of OIDC and could be customized to a great deal.Below is the link to its repo and its open source.
I myself used this to requirement similar to yours and it is highly customizable and easy to implement.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
MITREid Connect uses Spring Security for its authentication, so you can put whatever component you like into that space. There are lots of good resources on the web about how to write and configure Spring Security filters for custom authentication mechanisms.
You'll want to look at the user-context.xml file for where the user authentication is defined. In the core project this is a simple username/password field against a local database. In others like the LDAP overlay project, this connects to an LDAP server. In some systems, like MIT's "oidc.mit.edu" server, there are actually a handful of different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in that case.
Note that in all cases, you'll still need to have access to a UserInfo data store somewhere. This can be sourced from the database, from LDAP, or from something else, but it needs to be available for each logged in user.
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration.
Let's say I have a simple application.
How to set up OAuth2 to allow another application to access to some parts of my application.
For example, when devs want to use the Facebook API, they use the Facebook API User interface that generate Client id, client secret etc.
So, this is what i want my website do. provide client credentials when they request them.Not necessary by building an UI but programmatically (JAVA).
In other words, what is the stack behind the facebook API OAuth UI ? Is there a simple framework to set it up quickly and easily ?
thank you
There are lots of frameworks for setting up OAuth in a Java application. I would recommend having a look at Spring Boot, for example.
I am developing a application which uses Spring Rest services. I am using basic auth for authentication. I know that it is unsecure. My end client are capable of handling OAuth. I want to use OAuth, can any one point me to how to do OAuth in Java. I saw some examples they mention about Twitter , Google and Facebook.But I don't want to use social networking sites.
OAuth is a concept, and not any library which you can inject, (of course libraries exists to implement that)
So if you want to have OAuth in your application (i.e your application has its own OAuth), you have to setup following things
Authentication Server
Provide Provision to Manage OAuth Clients
Manage AccessTokens
Check out the OAuth 2.0 Specification to get clear understanding of how it works and how to build your own.
https://www.rfc-editor.org/rfc/rfc6749
I have a webapp that provides rest based end points built using jersey. I have a frontend in Angular material that consumes these stateless rest endpoints. Now I have a requirement for authentication in which I need to integrate the app with okta for SSO in particular moderation pages. Any idea on how I can proceed as I only have stateless services with me and I do not want to store authentication info with angular.
Correct me if I'm wrong, but this sounds like you have something similar to a single page web app (meaning an app running in the browser) that calls a backend REST API.
If that's your situation, I would suggest you to go with OpenID Connect and the Implicit Flow. You can find code samples at https://github.com/jpf/okta-oidc-beta (which will leverage the Okta Sign In Widget) and at https://github.com/mcguinness/okta-oidc-sample (which is using the Okta Authentication JavaScript SDK).
The Okta Sign In Widget is an order of magnitude easier to use so I would recommend you to go that route first (+ it provides full support for password resets, multi factor authentication, etc...).
You will also find some good information and resources on our OpenID Connect page for developers, which you will find at http://developer.okta.com/docs/api/resources/oidc.html.
I am working on writing a private REST API with Play! that I will make calls to from a mobile application and I am confused about how to keep it secure.
When working through the Yet Another Blog Engine example in Play!'s documentation, I worked through their authentication example, and it deals with logging in through a browser. From what I understand about Play!'s Secure module, it helps with browser sessions. Additionally, every StackOverflow question I have seen has been involved with an administration module on the web and the questions have been pertaining to sessions as well.
Does the Play! framework have any built in mechanism to prevent session hijacking?
Enforce Https routing for login with play framework
My current understanding of how the security should work:
The mobile app "logs in" to the web app and obtains some kind of token
With each subsequent call the token is appended to the end of the API call
If the mobile user "logs out" or the token expires, the web app removes the token
Every API call uses HTTPS in order to maintain security
Is it possible for me to make an HTTP request from the mobile application to the web application I create using Play! Framework while keeping it secure?
Am I approaching the whole situation incorrectly?
This is the first Play! app I have created and this is the first time I have used Heroku. I am not too far in that I would be opposed to switching to something else if it were significantly easier/more efficient/better suited to solve this problem.
EDIT: Also, in Play!'s YABE tutorial, it seems like they check the password in plain text. Just from a general standpoint, how is that not a security issue?
EDIT 2: I have looked over OAuth provider information and it seems to solve the problem. My only apprehension with it is that v2.0 has known security flaws and v1.0 seems complicated to implement for a situation where all I need is a secure connection between a mobile app and a web app. If I were to make every call require SSL, could I make each Play method just take username and password as parameters and disregard OAuth completely?
Your example of having a mobile application authorize itself with a web application is achieved with an authorization framework like OAuth. This allows the web app to let the user login then issue an access token to the mobile app for making requests as that user, without the mobile app having to deal with the user's password.
Have a look at an OAuth provider module for Play. If you Google, you might find an OAuth client module for Play, but that's for the other side of OAuth, allowing your web app to authorize against a 3rd party provider. You'd then use an OAuth client library in your mobile app to deal with acquiring an access token.
It could even be a generic Java libary for OAuth - the Play 2.0 documentation for OAuth states that it hasn't provided an OAuth 2.0 module because it's simple enough not to even need a library. However there are a few Java libraries available.
Here's a project where somebody's put together some OAuth provider stuff with Play (referenced from this forum post):
https://github.com/mashup-fm/playframework-oauthprovider