I have some idea on Oauth, it's an open standard framework which helps in Authorization process by creating a token and using that to access some resources.
I googled a bit about WSO2 I understood that it provides service oriented solutions
Recently my senior said that we need to move to WSO2 . I didn't understand what he meant by that. So I did some searching again and I found that WSO2 has an Identity Server which helps in authorization.
I suggested that we can use OAuth for authorization. But my seniors insisted saying we have to use WSO2.
So I want to know what is WSO2 Authorization and how its different from OAuth?
WSO2 IS is identity and entitlement management server. It facilitates security and identity management of enterprise web applications, services, and APIs and carries support for OpenID, Information Cards, XACML, and SAML 2.0
WSO2 IS support Oauth2 too. Please refer.
http://docs.wso2.org/wiki/display/IS410/Managing+OAuth
http://blog.facilelogin.com/2012/08/wso2-oauth-20-playground-with-wso2.html
Please refer
http://docs.wso2.org/wiki/display/IS410/WSO2+Identity+Server+Documentation
for other supported authorization mechanisams.
Yes you can use WSO2 IS as for authorization. Further you can use Oauth with WSO2 IS.
Following posts will be help full.
[1] http://docs.wso2.org/wiki/display/IS410/WSO2+Identity+Server+Documentation
[2] http://blog.facilelogin.com/2012/08/wso2-oauth-20-playground-with-wso2.html
[3] http://blog.facilelogin.com/2012/08/wso2-oauth-20-playground-with-wso2.html
Related
TL;DR
Objective: Java authorization server:
OAuth2.0 authorization code grant flow with fine-grained permissions (not a mere SSO server)
User management and authentication: custom database
Client management and authentication: Keycloak
Questions: What are the best practices for implementing a Java authorization server with applicative permissions handling backed on Keycloak?
What Keycloak adapter/API should I use in my development?
How should the users be managed/appear in Keycloak if they are to appear at all?
Forewarning
I am quite the beginner with Keycloak and, though I think I understand the main principles, it seems to be a rich tool and I fear I may still be mistaken about some aspects of the best ways to use it. Please do not hesitate to correct me.
Context
We are looking at implementing an API requiring our users (henceforth "users") to grant permissions to third party applications (henceforth "clients").
Our users are stored in a custom existing database-based user management system. As for our clients, we are thinking of using Keycloak.
The users consent will be given using an OAuth2.0 Authorization code grant flow. They will log in, specify which permissions they grant and which they deny, and the client then retrieves the access token it will use to access the API.
It is my understanding that Keycloak can handle the authorization token but it should not know anything applicative, which our permissions are. As a consequence, I thought of building a custom authorization server which will use Keycloak for all identity/authentication problems but will handle the applicative permissions by itself.
Then, we will use Keycloak for client authentication and authorization code/access token management, and an applicative part will check the permissions.
Problem
Besides my first experimenting, I've been roaming the Internet for a week now and I'm surprised as I thought this would be quite a standard case. Yet I found next-to-nothing, so maybe I'm not searching correctly.
I've found many Spring/Spring Boot tutorials1 on how to make a "simple authorization server". Those are mainly SSO servers though, and few do manage permissions, with the exception of those mentioned in this SO answer2. That I think we can deal with.
The real problem I have, and that none of the tutorials I have found are treating, is the following:
How do I integrate Keycloak in this authorization server?
I've been having a look at the available Java Adapters. They look OK when it comes to authenticate but I did not see hints about how to manage clients from a custom authorization server (ie administer the realm).
I therefore suppose I should use the admin API. Am I correct and is it good practice? I saw no adapter for that, so I suppose I should then use the REST API.
I also wonder how we should integrate our users in design? Should they be duplicated inside Keycloak? In this case, should we use Keycloak's admin API to push the data from the authorization server or is there a better way?
Finally, am I missing some other obvious point?
Sorry for the long message and the many questions, but it all boils down to one question in the end:
What are the best practices when building an authorization server using Keycloak as a backbone?
1. Some examples:
Spring Boot OAuth2 tutorial -
A blog post -
Another blog post
2. I've mainly focused on the sample app provided by Spring Security OAuth
Building Java OAuth2.0 authorization server with Keycloak
This is possible but is bit tricky and there is lot of thing which needs to be customised.
You can derive some motivation from below repo.
keycloak-delegate-authn-consent
Building custom Java OAuth2.0 authorization server with MITREid
If you are open to use other implementations of Oauth and OIDC,I can suggest you MITREid which is referrence implementation of OIDC and could be customized to a great deal.Below is the link to its repo and its open source.
I myself used this to requirement similar to yours and it is highly customizable and easy to implement.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
MITREid Connect uses Spring Security for its authentication, so you can put whatever component you like into that space. There are lots of good resources on the web about how to write and configure Spring Security filters for custom authentication mechanisms.
You'll want to look at the user-context.xml file for where the user authentication is defined. In the core project this is a simple username/password field against a local database. In others like the LDAP overlay project, this connects to an LDAP server. In some systems, like MIT's "oidc.mit.edu" server, there are actually a handful of different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in that case.
Note that in all cases, you'll still need to have access to a UserInfo data store somewhere. This can be sourced from the database, from LDAP, or from something else, but it needs to be available for each logged in user.
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration.
Where can I get a tutorial or instruction how to implement my own OpenID and Oauth2 servers for authorizing my microservice? I use java app and microservice I want to put authorization to. Where can I get an example of this auth server and may be there existing ones in the internet?
Please check http://www.keycloak.org This is an open source authentication server by Red Hat. Tons of documentation, start from here:http://www.keycloak.org/documentation.html
I would recommend taking a glance at MitreID-Connect project over at github. The project claims to be the reference implementation of OpenID Connect and OAuth 2.0 and the guy behind it is active in the specification working groups.
You can find some at "Libraries, Products, and Tools" page in the website of OpenID Connect. Of course, there are many other implementations which are not listed there and java-oauth-server is one of such examples.
If you are going to implement your own OAuth 2.0 & OpenID Connect server, you will be able to find some insights in this article "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings". Especially, be careful when you write code for Redirect URI. Otherwise, security risks of your server would be increased.
There are lots of resources describing OAuth usage in terms of clients, Facebook/LinkedIn/Twitter API usages. This is ok. But I am interested in OAuth server implementation. The aim is to have the web application which also can be accessible by the mobile devices (native applications), so I need to setup OAuth on my back-end Java server. So I would like to know how LinkedIn/Facebook/Twitter implemented OAuth on their server side, and distinguish users between auth_token-s and grant the corresponding access (some kind database mapping - auth_token = user identity?).
Or maybe there is the better way to authenticate mobile user (I'm going to use REST style services for back-end)?
Facebook, LinkedIn and Twitter have implemented OAuth following the specifications for OAuth 1 (Twitter LinkedIn) and the draft for OAuth 2 (Facebook, LinkedIn).
I would suggest going for OAuth 1, or OAuth 2 User Agent Flow. If your mind is set on OAuth that is. You could always go for simple basic authentication to begin with and focus on the really hard parts, namely the design of your API itself.
If your mind is set on OAuth, check out this list of code libraries: http://oauth.net/code/. And also read up on the specifications, if you want to implement an OAuth provider, you have to know and understand the specs. Otherwise you are in for a world of pain looking for out-of-the-box libraries that will solve everything "OAuthy" for you.
The Problem:
I want to implement a set of Webservices, protected with SAML. I need to authenticate the users, and also need to authorize based on the user role.
I found some questions similar to this one, but none with satisfactory answers.
The scenario:
Java Webapp accessed only using Webservices;
SOAP - metro;
Clients use some Desktop application that they will develop.
Key features that I need:
Free software;
SAML 2.0;
LDAP(or similar solution) to manage users information;
Message level security (SOAP).
The question:
I study some SAML (SSO) solutions (e.g. Shibboleth, opemAM, JOSSO...);
Can I use any of those, without compromise any of the key features?
Or do I need to implement my own way to handle the SAML tokens?
How to do it?
Thank you!
Here are some results that I found, and/or some tips from the answers:
Shibboleth:
http://shibboleth.1660669.n2.nabble.com/Web-Service-End-to-End-Security-td5526934.html
Shiboleth doesn't do ent-to-end, just point-to-point.
http://www.predic8.com/shibboleth-web-services-sso-en.htm
Requires a proxy module for authentication, before the SP.
OpenAM:
https://wikis.forgerock.org/confluence/display/openam/Web+Services
Doesn't present a service provider (SP). Define an architecture based on client-server, where client explicitly ask for tokens, when use web methods to authenticate.
WSO2:
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
Doesn't provide SP, you need to implement it using OpenSAML.
Still searching, please contribute!!
I am an architect at WSO2. WSO2 produces WSO2 Identity Server supporting all the features you required. You can deploy WSO2 Identity Server over an existing LDAP user store and make it act as an SAML2 IdP. We are using this functionality of Identity Server in our Platform as a Service [PASS] offering - https://stratoslive.wso2.com for SAML2 single sign on.
This is a good starting point and you can download WSO2 Identity Server from here.
Since no one answered with a valid option. I decide to secure the services with metro SAML, and try to provide the tokens using OpenAM.
For this you could have a look at jasig CAS.
We don't use SAML yet, but it should work as described here
Which Java library do you recommend to implement authentication in a Java web app (just servlets & JSPs)? We want to offer the most common authentication providers (Facebook, Yahoo, Gmail, etc.) and also local account registration.
I have found SocialAuth but it looks pretty new and I don't know if there are better alternatives. In addition, it looks like SocialAuth will request access to users contacts which I don't need and could annoy our users.
Thanks!
You can checkout the newer version of SocialAuth, u can set the level of permissions to be asked from the users.
Spring Security is a good starting point to get a flexible authentication system in your project.
http://static.springsource.org/spring-security/site/
There is a spring-security-facebook plugin that will integrate facebook auth.
http://code.google.com/p/spring-security-facebook/
I'm not sure about the others specifically. If you are talking about OpenID then spring security supports that.
I ended up using openid4java to integrate Google and Yahoo OpenId, and plain HttpClient calls to integrate OAuth based services (Facebook and Hotmail).