I need to create an application that fetches User from Ldap and then, generates a token for him to access Restful interface.
First, I am using LdapToolsBundle and I could login using Ldap and login form easily.
Then, I am studying FosOauthServerBundle and oauth2-server-bundle and trying to figure out which one is better for my application. I've installed FosOauthServerBundle correctly but didn't find a way to integrate with LdapToolsBundle.
I studied the possibility of using Fr3dLdapBundle and if anyone has the solution using this bundle, I would be open up.
The problem:
I don't need to persist User Entity. But, if it is required, I don't want to persist it's password. I need always the password being checked from Ldap on every token authentication.
Could anyone help me? I would be greatful.
Related
I currently have a Xamarin Forms App that uses IdentityServer4 & .NET Identity for authentication and login-in users to the app, it also integrates with Office356 login. I now have the need to implement FaceID/TouchID so that the user does not have to login every single time the app launches, but it still needs local authentication to prove they are who they say they are. From the research I have done, the username & password get stored in the Keychain OR the Token so that it can be used to login later. I believe I already have a way of accomplishing it using the Token, nevertheless we want to explore all options and double check if there is a better way of doing it by storing the username/password, is there any way to acquire those when using the WebAuth (ASWebAuthenticationSession)? My first issue is that the device browser is the one used to authenticate and I can’t seem to find a way of getting the username/password from there. In the case I was able to, how could I automatically used those to later authenticate (autofill?). Any help is highly appreciated. Thanks in advance
I've got some external users in another system that may/may not be using OWIN. (I've actually got this problem in a couple projects) I'm trying to solve this with IdentityServer4 and it's Authorize Endpoint but want to make sure I'm on the right path.
Our goal is to have users click a link in the external app and be redirected to IdentityServer4. I would like IdentityServer4 to authorize users coming in from this endpoint, add a particular role or claim, and allow them into the clients without presenting a login screen. Is this possible? I'm having trouble finding examples.
Identity Server 4 Authorization Code Flow example
This is the closest I could find, but we're looking for a framework agnostic solution that doesn't involve modifying the external apps, as I don't have access to their source code in all instances.
I'm looking for a flow like this: User goes to https://someexternalapp.com, clicks a published link like https://identityserver.myapp.com/authorize?requestSecret=asdf1234&username=bob and is redirected to https://identityserver.myapp.com/external?token=dasdfasdf where the claims are issued, and finally redirected to https://someclient.myapp.com with authorization.
Am I on the right track? I'd hate to waste much more time on this and end up at a dead end, could anybody point me in the right direction?
Have a look at Sign-in with External Identity Providers
This will allow you to create a cookie in the https://someexternalapp.com/ app which is then used by identity server to do the authentication without user interaction.
Good afternoon,
Here I am working on Symfony 4 and on the Symfony Security module.
I need to customize the authentication of my users without using plugins such as Fosuser.
This is for the following reasons:
The user connects to a "main" server (ldap) with his login/password
I need to be able to retrieve his credentials to test his account on other ldap servers in parallel.
When the user is authenticated on the main one, the user is redirected to a page telling him if everything is ok or not on the other servers. In case it is not, he has the possibility to update his account.
But the documentation deals with "simple" cases and here I am a little lost.
I tested several possibilities (authentication with Guard, test of creation of a personalized provider...) without results.
I would need to understand the mechanisms of symfony authentication to create a custom authentication.
If anyone has a lead to guide me, that would be great.
Thank you in advance.
I think you need to divide your action into 2 stages:
Authenticate by LDAP against first server, i.e. with Symfony LDAP Component - this can be done by standard authentication form and FOSUserBundle
When you are already authenticated interact with second server in controller action. This can be done by writing entire code in Controler or in service designed to interact with this LDAP server. You can even use the same Symfony LDAP Component as before, but you will need to configure another instance of service by hand.
I want custom firebase authentication where a user manages the roles of subordinate users. I need guidance on understanding on how to implement my own backend authentication system. Everywhere the documentation keeps mentioning that 'send the username and password to your backend that will generate a custom token'. What is this backend? where do I pursue this? My knowledge domain is firebase, firebase functions, angular 2/4, ionic2 for this discussion... thanks
To use custom authentication, you need to create a JSON Web Token (JWT) on your existing backend server, after you have used your existing backend server to validate the username and password of the user (or however else your backend server validates your users).
To create that JWT, use the configuration described at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
There is PHP and Ruby code available at that page, for anyone using a language that does not have an SDK available from Google, but which does have a JWT library available.
The JWT is signed with your private key, which you can obtain as indicated at https://firebase.google.com/docs/auth/admin/create-custom-tokens?authuser=0#create_custom_tokens_using_a_third-party_jwt_library
Although that page describes initializing the SDK, this section also has instructions for creating the private key for your service account using the Firebase console at https://console.firebase.google.com/u/0/project/_/settings/serviceaccounts/adminsdk
You will have to send the email password to the firebase sdk in using javascript in web then when the sdk success functions tell that the user has been authenticated the web page will send result to your backend server (can be nodejs or php etc) from there you have to manage your own database to handle all the role base access.
Firebase is basically authenticating the user for you and telling you that you can identify this user using the following userid and then build your own system.
Firebase has access rules but those you have to define first you cannot fully customize them for each user.
For password auth see this:
https://firebase.google.com/docs/auth/web/password-auth
An easy way to do custom auth with Firebase is using an external identity provider. Auth0 is an example of such a provider.
Guide:
https://shusson.info/post/using-firebase-and-auth0-together
code:
https://github.com/shusson/firebase-custom-auth
I need a good advise and wanted to know whether a solution is feasible or not. Right now one of my customer has a common login application which is based on Forms authentication(ASP.NET) using membership provider. All internal users use their AD credentials to logon and external users use custom username and password. Both are wrapped via Forms authentication. Now the new proposal is to replace this Forms authentication with ADFS. I have gone through various articles over internet and not able to come to a conclusion. Let me list my findings so far with ADFS extension points.
1) It is possible to add a custom attribute to ADFS claims by the approach mentioned in https://blogs.technet.microsoft.com/cloudpfe/2013/12/27/how-to-create-a-custom-attribute-store-for-active-directory-federation-services-3-0/.
2) It is possible to add a second level of authentication( or multifactor authentication) via the approach https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/. Here I understand that after first level authentication done by AD then only our external provider will come into picture.
So I have a general question that is it really possible to achieve what I am looking for with ADFS. Please let me know.
This is based on where the user accounts are stored. If both internal and external users are in AD, you can just redirect to ADFS.
If internal is in AD and external is in an untrusted or other LDAP source, using ADFS 2016 you can link to both these account stores and still offload authentication to ADFS.
If external is in SQL, you can either use a virtual directory in front to project it as an LDAP store (previous option) or use IdentityServer.
If externs is something else, you'd need IdentityServer.
Thanks //Sam (#MrADFS)
Yes - you can add a custom attribute store.
Yes - you can add a custom authenticator.
A better way might be to use thinktecture's IdentityServer 3.0 for the ASP.NET Identity part and then federate IdentityServer and ADFS.