Limiting Spring OAuth2 authentication to registered users of application - spring-security-oauth2

I was able to get the following sample code to work: https://spring.io/guides/tutorials/spring-boot-oauth2/. It works very well, however, it allows anyone with a Github credentials the ability to access my application!
What I'd like to do is extend the sample code's functionality to basically validate that the authenticated Oauth2 principal is also a previously registered user of the application. If they are not registered, they will be redirected to a registration screen.
I was thinking of utilizing a AuthenticationSuccessHandler to handle the registered user validation and perhaps invalidate their Github security token (somehow) if they are not a registered user. Am I going down the wrong path?

Related

Firebase custom auth provider I don't control/have access to?

Is it possible to use a custom authentication provider which I don't have any control over?
I develop an app in addition to a teachable course. Teachable is a platform like shopify where you can create online courses.
I want to use it as an auth provider, so a user, that already has an account can login with his teachable account.
To my knowledge custom authentications with auth tokes work like this: I send a request to my server with the entered user credentials. From my server I use these credential to login to teachable, if that was successful my server gets a callback and I return a token to my client, so the login was successful.
However as far as I know teachable doesn't have an api option for me to login and get a callback if it was successful.
What can I do about this? Also are there any security issues I didn't realized?
Your understanding of the flow to add a custom provider to Firebase Authentication is correct. You need to be able get the authenticated token from the provider, and mint a Firebase custom token from it.
If the provider you're looking to add doesn't have an API, you won't be able to add it as a custom provider to Firebase though.
I don't immediately see another way to connect the provider without an API.

How do I structure authentication with a social IdP?

My system works as follows;
I have an ASP.Net RESTful API server, which contains a user database.
I also have a Xamarin.Forms application, with a registration and login page.
What I want is to have the ability to authenticate a login using a social IdP, and then, if that user has not been logged in before, register that user in my local database.
I have been reading up on how to implement OAuth 2.0 with OpenID Connect to authenticate my users with a social IdP, however, I cannot seem to wrap my head arround it. From what I've read, I shouldn't use an Access token for authentication, since that i what the ID token is for, however, I have also read that the only intended purpose for an ID token, is the client.
My problem then is, how can I make sure that calls made to my ASP.Net server, has been made by "real person", and how do I determine who makes the call?
Access token will be used determine whether the client application was authorized by a user to access a resource. The concept of ID token comes from OpenID Connect. Main purpose of the ID token is to authenticate the user to the client application (i.e. letting the client application know that the person who authorized the access is a valid person).
To do this, you have to validate the ID token. This can be done using third party libraries such as nimbusds or auth0. You can validate the signature of the token verify the integrity of the token and check the claims included in the token (by comparing them with expected values) to verify the user details. Also, you can add custom claims (any claim that is specific for your application/implementation) to the tokens through your identity provider so that you'll be able to validate those particular claims in order to verify the user.

Customizing CQ / AEM Authentication

What exactly do you have to do to authenticate users against an external source while accessing pages on a CQ publish instance?
From what I have read, a custom AuthenticationHandler can be used for this. The AuthenticationHandler can be configured to be called against the paths requiring authentication and inside the extractCredentials() method, the users will be authenticated against the external source and an AuthenticationInfo object will be returned.
If the supplied credentials are invalid, null would be returned from this method to indicate the same. The SlingAuthenticator will then call requestCredentials() where the user can be redirected to the login page.
Is this understanding correct? If so, what does SlingAuthenticator do with the AuthenticationInfo object returned from extractCredentials()?
In some places, having a custom LoginModule (by overriding AbstractLoginModule) is also suggested for the same purpose. Are these 2 different approaches (custom AuthenticationHandler and Loginmodule) for having custom authentication or are they used together somehow? If so, how do they interact?
And also, the concept of CUG (Closed User Group) can be used to redirect users to the login page if they don't have access to a page. Can CUG still be used with a custom auth mechanism or it only works if the users are present in CQ repository?
Any light shed on this would be much appreciated :)
Your understanding is correct. The AuthenticationInfo object ultimately contains a JCR user id -- but rather than having to use the JCR password for the user, a 3rd party service basically says "this user has authenticated successfully and can access the repository as X".
Example: you're using OpenID or SAML to verify a user is X. user X is then mapped to a user Y in the repository.
I haven't used LoginModule but from what I'm reading, that's just extending login processing for the JackRabbit repo. So, rather than using AuthenticationHandler to redirect a user to some other place and processing the response, you're plugging further down into the chain where there's already AuthenticationInfo (or something like that) being given to JackRabbit to verify and return a session for a user.
So, let's say you did successfully authenticate with OpenID but the user you're mapped to doesn't exist. You could write a login module to create the user in this case (and assign user to a default group). For instance, if user came in with a gmail id, the JCR user could be gmail_$id. And the login module, seeing the name starts with gmail, will know it's ok to create that user automatically.
As far as CUG, yes, all the above can be used in conjunction with it. Basically, if a request doesn't have access to a resource and the request hasn't been authenticated, the authentication handling system kicks in. If a user has authenticated but still doesn't have access to the resource (e.g. not part of a group that can read it), a 403 will be generated.

Custom Login Screen - Integrated Windows Auth with fall back

I want to create a custom login screen that will attempt to authenticate a user via integrated Windows Authentication (using SPNEGO or whatever) and if that attempt fails, fall back to a forms based approach.
The process would ideally work like this...
User Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and succeeds.
User is authenticated and redirected...
User Not Logged in as Valid AD User
User attempts to access application and is redirected to IdentityServer.
Custom logic attempts to validate user using AD credentials and fails.
User is presented with a form to enter username and password.
User is authenticated and redirected...
I was hoping to create a custom IUserService implementation to achieve this, but from reading the documentation it's not obvious how this would be done.
Am I going to have to create a custom identity provider to achieve this?
Any guidance would be greatly appreciated.
I think, it's not so much the custom IUserService you have to worry about. The IUserService looks up a user once IdSrv3 has collected credentials from the user. So your integration needs to occur earlier.
What's tricky is falling back. If you have a page that is protected by windows auth, it's the client that decides if it can authenticate or not. if it can't authenticate the user it will usually prompt the user for credentials & try to submit these. It won't automagiclly know what to do.
The approach with probably the best user experience is to show a page & allow the user to choose how to login, much like you can choose to login with Google, etc. You can then hook this up as an external provider.

Transparent user registration after external authentication in Drupal

I'm working on a Drupal 6 module to provide OAuth-based user authentication and registration. I'm already using the OAuth module to authenticate as described on http://oauth.net/core/1.0a/#anchor9. The next step is to create the user account using information provided after authentication using an custom API of the Service Provider.
According to http://drupal.org/node/497612#comment-3047302, I should not use user_external_login_register() but see the OpenID module for how to properly login an external user.
After studying the OpenID module, here is what I plan to do:
Try to load an existing user for a authname build from the custom API result using user_external_load().
If a user exists, use user_external_login() to log the user in.
If not, pretend the registration form has been submitted (like openid_authentication() does) to create a new user account. And redirect to a pre-filled form if any additional information is needed in order for the user to register.
Is this the right way to do it ? Is there another module worth looking at for how to this properly in addition to OpenID ?
You could have a look at the former Drupal module. That module did two entirely different things (hooray for the architecture :)).
* It puplished information to a central "who runs Drupal" directory. (and offered a page to show such a directory yourself!)
* It allowed login with credentials from other Drupal-sites.
The latter is what you are looking for. Note that the module was discontinued, not because the method for logging in was done wrong, but because the DrupalID mechanism itself is flawed. It has been replaced with openID and oauth.
http://drupalcode.org/viewvc/drupal/drupal/modules/drupal/drupal.module?hideattic=0&view=markup
The hooks and methods you would be looking for (in that order) are:
drupal_form_alter -- Adds validate-callback to the login forms.
drupal_form_user_login_alter -- Adds information about alternative login on login form.
drupal_distributed_validate -- Validation callback: calls drupal_auth to see if the user is valid. If so, calls user_external_login_register
drupal_auth -- Helper for validation callback: determines if the credentials are valid.
All other functions are either helper functions for these, or provide that directory-feature, or allow remote sites to authenticate against our database. Neither of which you will be using.

Resources