In my web application i want to implement the OpenId just like stackoverflow.com have to login to its web-site.
In details you find while login to stackoverflow.com
So when if one choose google then it allow the uses to log in through google account.
Please tell me how to implement it in java web application in details. Is there any single api for login through different website like(yahoo,google,facebook,etc)
Thanks
There is two sides of this:
client-side. This is the easier part. You can do this manually, but there are already javascript solutions that will render a list of openid providers. Check openid-selector and this jQuery plugin. I personally like the latter more.
server-side. You will have to handle openId authentication. There are multiple java libraries (they are all listed on the openid website). Here is one that I decided to use: openid4java. See this question for my motivation.
Not quite. Most of the ones you have mentioned simply use the OpenID protocol, however Facebook uses its own authorisation, so you would need to add that as a separate method.
Take a look at OpenID4Java
I have also used the openid-selector for the client side part.
Finally, I would take a look at the this resource to see the URL endpoints for the different providers.
Related
I have created some API's for login but am not sure about creating a login with a Username/Phone Number. Can someone help out with any tutorials or any sort of idea on how to create a REST API for phone number authentication on a Spring-Boot Project?.
I also require a suggestion on how to bring the third party login like We log in with a google account on most of the web applications
From what I've understood in your question you are concerned about security and you would like to implement something like an MFA for your users.
Since sending OTP codes is expensive (not really but let's assume you want something free) and requires to access external APIs to send the codes (with its own logic) what I can suggest to you is using something like a TOTP (Google Authenticator or Microsoft Authenticator).
Here is a good (and most important WORKING) guide I've followed some time ago:
https://medium.com/javarevisited/spring-boot-two-factor-authentication-78e00aa10176
With the right adjustments and improvements (or simplifications in case) the main logic will be perfect for your application of MFA.
For the login using for example google/facebook/SAML SSO and so on I can suggest you check on OAUTH2:
https://www.baeldung.com/sso-spring-security-oauth2
Hope it helps
Hi Ninja please read this example and seraching internet
https://dzone.com/articles/add-login-to-your-spring-boot-app-in-10-mins
I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID
However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin
My questions/confusions are:
For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?
For Sing-in I'm thinking about using Authenticator in Dropwizard.
I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5
Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.
If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).
You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.
After loading the project, look for WebFormClientAuthenticator which will get you in the right area.
The general principles involved with Dropwizard authentication are discussed in this blog article. Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.
It's all MIT license so just use it as you need.
Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation:
http://dropwizard.codahale.com/manual/auth/#oauth2
OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why?
Things to note:
when dealing with authentication, you should always host over HTTPS to ensure transport encryption
Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure.
Implementing this does not involve using any third party "social" authentication services such as Google or Facebook.
I want to implement a SSO Framework. My requirement is thus:
Once a user log's into particular website and he clicks on an external link, he should not be asked to verify his credentials again.
EDIT: Here, I have control over the 'external link' that I speak of. The first link that the person sign's into can provide me credentials or other information that I require, but I have no control over it.
I researched a bit, and found CAS to be relevant for my requirement. But, I don't want the end user to login to CAS initially, I need a framework that receives the credentials from the currently logged in website and uses the same to login to the other external site. Security is, of course, an important factor. Can you please give me some pointers/ ideas as to how to go about designing such a framework?
Based on what you're describing, it sounds like an Identity Provider (IdP) initiated SAML profile would meet your requirements (a good visual representation of this is here). The original web site your user is logged in to will function as the Identity Provider. Once a user is authenticated with that application, they will then be able to access your external application by clicking a link. Instead of being directed to a log in page for your application, the original app will instead forward the user's authorization details via SAML to you where the signature will be verified and possibly checked with the identity provider. If everything checks out, the user will be redirected to the requested resource from your app without having to sign in.
Note, that the above describes the protocol of the SSO. There are many different frameworks that support SAML that you can use. Two that you can research are Shibboleth and, as already mentioned, OpenAM.
This is a rather simplified explanation based on limited details, but hopefully it will help lead you towards a solution. I would recommend doing a good bit of research on the protocols and frameworks available before making your decision. Also, a proof of concept never hurts to prove out the solution will work for you before investing in it to a point of no return.
Good luck.
OpenAM should help you:
OpenAM provides open source Authentication, Authorization, Entitlement
and Federation software. Through OpenAM, the community actively
continues development of OpenSSO.
OpenAM provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security
component in a network infrastructure. OpenAM provides the
foundation for integrating diverse web applications that might
typically operate against a disparate set of identity repositories and
are hosted on a variety of platforms such as web and application
servers.
On the wikipedia page List of single sign-on implementations you can find a list of SSO implementations, there is a column indicating the licence.
Read about jboss sso from here.
I understand that openid is generally used for browser-based application. However, I am building a java desktop application. I would like to use openid. How is it possible. One way that it could be done would be to integrate a java web browser such as http://lobobrowser.org/java-browser.jsp and capture the return url. But that seems to me like the hardest solution. Is there a library that can help me do that.
My goal is to use the return url from the openid provider, say google, as a secret key to encrypt local data. The returned url contains a unique access/confirmation key.
What are the security considerations in doing this?
Either of the following libraries look like they will probably do what you need:
http://code.google.com/p/openid4java/
http://code.google.com/p/joid/
We will be creating a web application in java.
For User Authentication currently we are using LDAP. But we want to have some other options like application level authentication (from database) , gmail, facebook etc.
Somewhat similar to what stack overflow has on login page.
We will be maintaining a properties file which will consist of all the available options for authentication like LDAP, facebook, gmail etc.
If we want to add one more authentication service we will add it in this properties file and then we will need to add helper file which will do the actual work of doing the authentication.
This should be highly customizable.
I have following questions regarding this,
1) What is the best way to go about this?
2) How to do third party authentication like google, facebook etc?
PS: When we do the authentication using gmail etc, we will need some basic information back to our application which we can use.
One popular solution is Spring Security (which used to be called Acegi). It has various backend authentications and handles openID and LDAP. You could use it with the openID selector mentioned by Abdel. If you google around you can find various plugins to connect with different backend authenticators, including JAAS.
Stackoverflow (Stackexchange) is using a modified version of openid-selector. It is highly customizable and you can add your own selectors as well.
You can authenticate with google, facebook, and other social networking sites using openID or OAuth mechanism. You can make use of many libraries available for java.Have a look at openid4java. You can also refer to this list for libraries as well.
You can get some basic information (Name, Email, Photos etc) from Google, Yahoo or other openid providers.