I am trying to configure OpenAM qr code service chain as an identity provider for another application, and I am giving the client the URL of the identity provider which is http://localhost:8443/openam/XUI/#login/&realm=/&service=qrLogin, But after a successful login using the qr code the client prompt:
Missing state parameter in response from identity provider.
Is this even possible ?
What type of authentication is the qr code of OpenAM: Saml or open id connect ?
if this is possible what am I doing wrong ?
Related
I have a single page application written in angular 7 which communicates with my ASP.Net Core 2.2 Web API server.
On login, the user sends his credentials to my authorization server (connect/token) using "resource owner password credentials" grant.
I am trying to add 2-factor authentication (SMS), but I can't find any example describing how to do this. All the examples I found were written with MVC using cookies authentication.
I was thinking about this flow but it feels to me there should be a much better way
A user enters his user name & password
If the user has 2 factors enabled I will send him an SMS with a code. In addition, a limited access_token and id token will be sent to the client. this access_token will be valid only to enable the user to send the 2-factor code.
if id-token will have a claim for 'two factors': 'on', I will redirect the user to an SMS confirmations code.
The user will send a post request with the code. If the code matche, I will return to the client a new access_token with all the claims.
2FA is a very bad fit for the resource owner password credentials grant (at least, not the standard flavor).
An interactive flow like the code or implicit flows will allow to easily implement that using ASP.NET Core Identity and its default controllers/Razor pages, in a completely standard way.
In API Manager 2.0.0 I have configure a federated authenticator for oauth2, setting-up with a google authentication, and configure a service provider for an application to use this federated authenticator. Then I follow the tutorial [1] in order to use this application with the google authentication.
When I try to generate the keys from the Store portal using Code or Implicit grant types, the server give me the following error:
Error occurred while calling token endpoint: HTTP error code : 400
and in the log shows:
{"error_description":"Provided Authorization Grant is invalid","error":"invalid_grant"}
Can anyone help me with this problem? How can I configure a federated authenticator to consume te APIs/Applications?
Thanks.
Here you can see the debug log of APIM.
[1] http://xacmlinfo.org/2015/04/28/federated-authentication-for-granting-oauth2-access-token-with-wso2-api-manager-apim/
Probably your Service Provider doesn't allow Implicit and Code grants by default.
To change this log into carbon on Service Providers -> List. Choose your SP and then click on Edit.
In the edit page, go to Inbound Authentication Configuration -> OAuth/OpenID Connect Configuration. Your application key and secret should be listed here, the one that you generate on the store.
Click on edit, this will bring all the OAuth grants available. Probably Code and Implicit are unchecked. Check them and click on Update, you should be able to generate tokens using both grants now.
I am working on a web application which should authenticate users via ADFS. WS-FED Passive was chosen as the simplest and fastest to implement.
The setup went smooth and the application seemed working: a user is first redirected to the the Identity Provider service, enters username/password and in case of success a SAML token is POSTed back to the web app.
Here where I get confused: a SAML token can be validated via the Signature and X509Certificate data which are contained in it.
However, what is the proper mechanism to verify that the token was POSTed by the Identity Provider service, not by a third-party which also posesses the certificate?
I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).
In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts
I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.
What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.
Is it something that could work?
Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?
Note:
I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.
Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token.
https://technet.microsoft.com/en-us/library/dn633593.aspx.
You'll have to follow all the links at the bottom to get the entire walkthrough.
Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.
As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx
You could use ADFS 3.0 on top of AD which would provide you with OAuth 2.0 Authorization Server functionality: http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
Putting the token endpoint behind "basic authentication" does not help you because you'd be authenticating the client on the token endpoint, not the user. You could put the authorization endpoint behind "basic authentication" though.
I have an ASP.NET application which uses login cookies already. I need to provide a link in my application upon clicking which the user should be able to access their info in SalesForce.com using SSO. I'm planning to implement this link as an ASP page that constructs a SAML assertion with the corresponding username in SalesForce.com, posts the SAML assertion to SalesForce.com SAML Endpoint URL, receives the SAML response from SalesForce.com and redirects the user to the session URL contained in the response.
Has anyone tried this approach instead of using a dedicated SSO server (such as OpenAM) ? Are there any issues in this approach ?
You won't be able to do that, because it would require you to implement most of SAML IdP (identity provider) piece on your own.
SAML is a complex standard involving multiple interactions between IdP and SP (service provider), it is so much more than just sending an assertion.
To enable SAML you'll need to install IdP (like OpenAM), connect it to your user database and to convert your application to SP.
Wikipedia has more detail on SAML iteractions.