I'm trying to implement "single sign-on" so that users of my ASP.NET site can jump to a WordPress site and automatically have their account created. There is a plug-in for WordPress called JWT Authenticator that will send unknown users to a URL you provide and then you can POST back a JWT with enough information for the plug-in to do it's thing and automatically login the user over there.
I can see how one might accomplish this just by generating a JWT using something like JOSE and then in javascript posting the token over, but I was hoping to capitalize on any existing code in the ASP.NET Identity/OAuth/JWT packages to manage the heavy lifting (especially the posting of the JWT).
Is that a standard "flow" for OAuth? I suppose in that case the ASP.NET site is sort of an Identity Server but the documentation for that sort of thing seems to suggest a structure way out of proportion for "make a JWT & post it back there".
Any ideas what subset of functions exist in the Identity & OAuth libraries for doing this?
Thanks!
James
Related
So.. I've read countless articles, but still can't wrap my mind on which to use; if a simple JSON Web Token is enough..
I have a Wordpress website and a mobile application of said website.
I can login in my website using email and password and I can also login on my mobile application using email and password.
The mobile application communicates with the website through the Wordpress REST API. It (the mobile app) sends the user email and password to the API, and the API returns a JWT if both are valid.
Then, I simply store the JWT in the user's device.
My main doubts are:
For a mobile app with not much sensitive user data, is that acceptable/safe enough?
For a mobile app with sensitive user data, is that acceptable/safe enough?
Or should I use OAuth2 in both cases (which is harder to implement and will take time, but it's safer (I think..))?
Thank you and apologies if duplicated.
This is more of a security compliance decision you might have to take.
As a first thing, you should think like a product owner or ask a product owner about which one to use by explaining to them, what are the advantages of OAuth 2.0 over simple JWT.
You might have to consider the following things,
what is the size of the userbase?
how sensitive is the data you are going to store?
What is the user experience you wanted to give to your users?
Also, JWT doesn't mean it is not safe enough.
One more extra thing you could do to make it more secure is adding a expiry time for your JWT with a refresh token mechanism that way even if JWT is exposed it ll be expired later sometime.
JWT is a secure solution and is often used for mobile applications.
If you choose OAuth, you have several options for authentication, because there are several grant types:
Authorization Code grant type, which is the most popular, the advantage of this is that it uses the WordPress login interface
User Credentials grant type, which has a direct trust relationship with the application, which provides the user credentials, this is often used with mobile applications
You have the option of JWT Access Tokens at the OAuth server, which provides even more security for you.
We have created an OAuth 2.0 plugin for WordPress: https://lana.codes/product/lana-passport/
You can try it with the demo, and there is also detailed documentation for it.
I personally use the OAuth plugin to be able to log in to my WordPress websites using the Single Sign On button, which uses my primary WordPress website for authentication. OAuth is more commonly used for Single Sign On solutions.
I'm so confused about how to get authentication between an external, consumer website and a Laravel API right. What I'd like is to have a web app for which users are able to present information from the app to other people, using an external website that consumes the app's API. Here's an example of the basic setup in a bit more detail:
A Laravel 5.3 app that has a protected API endpoint api/status. Only authenticated users should be able to hit api/status, and the status returned is a particular status for the authenticated user.
An external website that consumes the Laravel API on behalf of a user, let's call her Alice. The necessary information is stored in the backend of Alice's website so that it can authenticate with the API on behalf of Alice. (The actual implementation I'm working on will be a WordPress site, and the API consumption will be done by a WordPress plugin that I am implementing; so any info stored will likely be stored in the WordPress database.)
The website has a /status page that displays Alice's status to anyone who browses to the page. (Ie, when the /status page is browsed to, an API call to the app is made on behalf of Alice. The returned status is specific to Alice, and is displayed to the person browsing the page.) People browsing to /status on Alice's website do NOT need to do any sort of authenticating to view the status on the page.
That is very simplified compared to my actual goal, but I hope it serves to keep the extraneous details to a minimum so we can focus on my actual question, which is what method of authentication should I use to achieve this?
One thing I DON'T want:
The person browsing Alice's website should NOT be able to use their browser's inspector to watch the API call and from that create further API calls on Alice's behalf on their own.
I have Passport installed on my Laravel App, but if I'm understanding things correctly I don't want to use the basic Access Token issuing workflow, as that would require the people browsing to Alice's website to authenticate using the Alices's credentials. For the same reason, I don't think I want an Implicit Grant Token.
Using a Password Grant Token would require storing Alice's password for the Laravel app on her website. Is it ok to store passwords like this in a WordPress database? It makes me nervous...
The other option available through Passport is to have Alice create a Personal Access Token and store that in her website backend as the token to use to authenticate. But the Laravel documentation seems to imply that Personal Access Tokens are meant for testing and development purposes, which makes me wary of going this route for a production plugin. Plus, doesn't using a PAT make it possible to do the thing I DON'T want above, since the PAT is simply passed in the request header? Or is that problem mitigated by the fact that the API interaction would be done over SSL?
Do I even need to go through Passport to achieve what I want here? Is there a better way?
I've been reading myself in circles trying to understand what the best practice for this kind of setup is. I'm sorry if this question isn't focused enough, but if anyone has any good advice, or can clarify things for me I would much appreciate it!
what I need to achieve is the following but am quite stuck on the correct way to go about this:
From WordPress, specifically in the admin console I need to authenticate with an external website in a secure manner
Store a token of some sort (oauth2?)
Make authenticated call form my plugin to the 3rd party rest api
What would be the best way and a couple of methods to:
Authenticate, retrieve store a token from wordpress admin (preferably Oauth2)
send this token to the external site with every api call?
Apologies on the vague nature but any direction will really help!!!
I have read a few articles on the subject, but I am just looking for some more advice really.
I have a WordPress site with a login functionality and user database on that site.
What I need to do is allow a 3rd party application to authenticate details which it receives against my WordPress database.
I was thinking the best way to do this would be by sending the data to a REST API, but security wise I cannot think how I can return a successful login without this being easily duplicated by a user.
I have read about oAuth and HMAC, but am not sure which route I should be going down.
Any help greatly appreciated, thanks.
Ian
WordPress provides the XML-RPC API for this stuff. That's what the iPad/iPhone apps use.
Check out the Codex.
http://codex.wordpress.org/XML-RPC_Extending
http://codex.wordpress.org/XML-RPC_WordPress_API
For more general info, there's the Wikipedia entry, http://en.wikipedia.org/wiki/XML-RPC.
Technology
ASP.NET, VB.NET 2.0 (soon to be 4.0)
Overview
I'm writing a Login / Authentication Portal, so that a web application can use it to login a user, and then they can use the application using their credentials.
The login portal will be a separate application, and initially only available via an extranet as well as intranet for certain applications; but future apps will need to authenticate via the web (happy to implement as a separate instance). I basically want other individual applications to be able to authenticate users via this portal.
So that...
A user goes to an application's web url (i.e. www.application.com / http://apps/application - intranet) and clicks "login".
User's browser is redirected to the portal application, with a query
string
www.loginportal.com/login.aspx?url=www.application.com/login.aspx
(or other page).
User fills in their credentials (username, password), and clicks
"login" button.
Browser redirects back to url i.e. www.applications.com/default.aspx or login.aspx and is authenticated and logged in; and can use app.
Completed
I have the authentication itself sorted, and will implement as a class library in the local applications via a dll.
Need
So I basically need to know, how to:-
1. Post data to the portal url (could be different domain).
2. Redirect browser with post.
3. Make sure that the authentication is secure, and not easily hackable (I know how to use urlencode and htmlencode etc) - just not sure about implications of posting data across domains.
Any help greatly appreciated...
Cheers,
Duncan.
Seriously tough stuff, here. If it were me, I'd lean heavily on Windows Identity Foundation. I believe it can support this scenario (haven't actually done it; someone else at my company is developing against it).
OK, so this is the solution I ended up using:
In the original application (the one that needs the authentication; step 1 above) I redirect the user to my login portal, and include the original url as a get parameter.
The user then types in their details, username and password.
Next, the server-side code authenticates them, and redirects to a new page, where I send back to the page an html form which includes the request datetime (for security) along with a encrypted string (including the datetime of the request) of the data I want sent back to the original form.
I also add a JavaScript post method which sends the data to the original url as a form post. Because I'm using the same class library at both ends, I can encrypt and decrypt the data using the same method and the original requesting application has all the user data, including the ability to check the datetime of the request (I allow a set amount of time between the authentication and the picking up by the original app, making sure these are within say 5 minutes.
And job done.
If anyone wants the code, I can provide it, just don't have it with me at the moment, if I remember I'll post it.
Not the most elegant solution, but it works, and it's secure, so I'm happy. :).