We will be creating a web application in java.
For User Authentication currently we are using LDAP. But we want to have some other options like application level authentication (from database) , gmail, facebook etc.
Somewhat similar to what stack overflow has on login page.
We will be maintaining a properties file which will consist of all the available options for authentication like LDAP, facebook, gmail etc.
If we want to add one more authentication service we will add it in this properties file and then we will need to add helper file which will do the actual work of doing the authentication.
This should be highly customizable.
I have following questions regarding this,
1) What is the best way to go about this?
2) How to do third party authentication like google, facebook etc?
PS: When we do the authentication using gmail etc, we will need some basic information back to our application which we can use.
One popular solution is Spring Security (which used to be called Acegi). It has various backend authentications and handles openID and LDAP. You could use it with the openID selector mentioned by Abdel. If you google around you can find various plugins to connect with different backend authenticators, including JAAS.
Stackoverflow (Stackexchange) is using a modified version of openid-selector. It is highly customizable and you can add your own selectors as well.
You can authenticate with google, facebook, and other social networking sites using openID or OAuth mechanism. You can make use of many libraries available for java.Have a look at openid4java. You can also refer to this list for libraries as well.
You can get some basic information (Name, Email, Photos etc) from Google, Yahoo or other openid providers.
Related
TL;DR
Objective: Java authorization server:
OAuth2.0 authorization code grant flow with fine-grained permissions (not a mere SSO server)
User management and authentication: custom database
Client management and authentication: Keycloak
Questions: What are the best practices for implementing a Java authorization server with applicative permissions handling backed on Keycloak?
What Keycloak adapter/API should I use in my development?
How should the users be managed/appear in Keycloak if they are to appear at all?
Forewarning
I am quite the beginner with Keycloak and, though I think I understand the main principles, it seems to be a rich tool and I fear I may still be mistaken about some aspects of the best ways to use it. Please do not hesitate to correct me.
Context
We are looking at implementing an API requiring our users (henceforth "users") to grant permissions to third party applications (henceforth "clients").
Our users are stored in a custom existing database-based user management system. As for our clients, we are thinking of using Keycloak.
The users consent will be given using an OAuth2.0 Authorization code grant flow. They will log in, specify which permissions they grant and which they deny, and the client then retrieves the access token it will use to access the API.
It is my understanding that Keycloak can handle the authorization token but it should not know anything applicative, which our permissions are. As a consequence, I thought of building a custom authorization server which will use Keycloak for all identity/authentication problems but will handle the applicative permissions by itself.
Then, we will use Keycloak for client authentication and authorization code/access token management, and an applicative part will check the permissions.
Problem
Besides my first experimenting, I've been roaming the Internet for a week now and I'm surprised as I thought this would be quite a standard case. Yet I found next-to-nothing, so maybe I'm not searching correctly.
I've found many Spring/Spring Boot tutorials1 on how to make a "simple authorization server". Those are mainly SSO servers though, and few do manage permissions, with the exception of those mentioned in this SO answer2. That I think we can deal with.
The real problem I have, and that none of the tutorials I have found are treating, is the following:
How do I integrate Keycloak in this authorization server?
I've been having a look at the available Java Adapters. They look OK when it comes to authenticate but I did not see hints about how to manage clients from a custom authorization server (ie administer the realm).
I therefore suppose I should use the admin API. Am I correct and is it good practice? I saw no adapter for that, so I suppose I should then use the REST API.
I also wonder how we should integrate our users in design? Should they be duplicated inside Keycloak? In this case, should we use Keycloak's admin API to push the data from the authorization server or is there a better way?
Finally, am I missing some other obvious point?
Sorry for the long message and the many questions, but it all boils down to one question in the end:
What are the best practices when building an authorization server using Keycloak as a backbone?
1. Some examples:
Spring Boot OAuth2 tutorial -
A blog post -
Another blog post
2. I've mainly focused on the sample app provided by Spring Security OAuth
Building Java OAuth2.0 authorization server with Keycloak
This is possible but is bit tricky and there is lot of thing which needs to be customised.
You can derive some motivation from below repo.
keycloak-delegate-authn-consent
Building custom Java OAuth2.0 authorization server with MITREid
If you are open to use other implementations of Oauth and OIDC,I can suggest you MITREid which is referrence implementation of OIDC and could be customized to a great deal.Below is the link to its repo and its open source.
I myself used this to requirement similar to yours and it is highly customizable and easy to implement.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
MITREid Connect uses Spring Security for its authentication, so you can put whatever component you like into that space. There are lots of good resources on the web about how to write and configure Spring Security filters for custom authentication mechanisms.
You'll want to look at the user-context.xml file for where the user authentication is defined. In the core project this is a simple username/password field against a local database. In others like the LDAP overlay project, this connects to an LDAP server. In some systems, like MIT's "oidc.mit.edu" server, there are actually a handful of different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in that case.
Note that in all cases, you'll still need to have access to a UserInfo data store somewhere. This can be sourced from the database, from LDAP, or from something else, but it needs to be available for each logged in user.
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration.
I'm building a single signon app and I'm wondering if it's possible to authenticate a user within a completely different website without using oauth, "not a possible solution". I'm currently able to do this by copying the other websites login form into my page along with the post url, hidden field, username/password field. I would much rather do this behind the scenes if possible where credentials wouldn't be exposed. I'm wondering if something like httpclient would be able to accomplish this task.
Any suggestions would be appreciated.
Yes, this is theoretically possible. You are trying to use the other web site as an authentication provider. You need to find out what authentication services the other website offers - you could try federated authentication, LDAP-based authn, kerberos, etc., but if the site you want to authenticate to doesn't support any of these, then you aren't going use any of these protocols.
I'm developing a web application in Java, using Spring Framework. I'm adding personalization to my site, and I'd like to provide my users the best experience. Features I'm looking for:
Support for logging in using popular services (at least Facebook and Google)
Support for creating a username/password
Support of tying multiple credentials (i.e. the same account can have FB, Google and username/password)
Reset password feature
Remember-me feature
Nice login widget (like Stackoverflow's for instance)
Secure storage of passwords
JSP integration (i.e. login tag, conditional "is-logged-in", "has-permission-x" tags)
Support for integrating in my schema
Mobile support (usable from mobile browsers)
Open source
I realize Spring Security/Spring Social has some of this (and they overlap a bit).
Yes, spring-security, spring-social, spring-mobile, openid4java, and a javascript openid library cover your requirements. But you still have to write code and configure stuff. It's not "ready-to-use". You can start with spring-roo that will generate some skeleton project on which you can build forward.
In my web application i want to implement the OpenId just like stackoverflow.com have to login to its web-site.
In details you find while login to stackoverflow.com
So when if one choose google then it allow the uses to log in through google account.
Please tell me how to implement it in java web application in details. Is there any single api for login through different website like(yahoo,google,facebook,etc)
Thanks
There is two sides of this:
client-side. This is the easier part. You can do this manually, but there are already javascript solutions that will render a list of openid providers. Check openid-selector and this jQuery plugin. I personally like the latter more.
server-side. You will have to handle openId authentication. There are multiple java libraries (they are all listed on the openid website). Here is one that I decided to use: openid4java. See this question for my motivation.
Not quite. Most of the ones you have mentioned simply use the OpenID protocol, however Facebook uses its own authorisation, so you would need to add that as a separate method.
Take a look at OpenID4Java
I have also used the openid-selector for the client side part.
Finally, I would take a look at the this resource to see the URL endpoints for the different providers.
Which Java library do you recommend to implement authentication in a Java web app (just servlets & JSPs)? We want to offer the most common authentication providers (Facebook, Yahoo, Gmail, etc.) and also local account registration.
I have found SocialAuth but it looks pretty new and I don't know if there are better alternatives. In addition, it looks like SocialAuth will request access to users contacts which I don't need and could annoy our users.
Thanks!
You can checkout the newer version of SocialAuth, u can set the level of permissions to be asked from the users.
Spring Security is a good starting point to get a flexible authentication system in your project.
http://static.springsource.org/spring-security/site/
There is a spring-security-facebook plugin that will integrate facebook auth.
http://code.google.com/p/spring-security-facebook/
I'm not sure about the others specifically. If you are talking about OpenID then spring security supports that.
I ended up using openid4java to integrate Google and Yahoo OpenId, and plain HttpClient calls to integrate OAuth based services (Facebook and Hotmail).