Oauth2 multiple AuthorizationServers in one app - spring-security-oauth2

Is it possible to declare many OAuth2 authorization servers in one Spring Boot 1.4.1 app? I tried to do so, but every time only one authorization server is working at the moment.
I need it because I have two types of users that can login to my app and each of them must be separated. It's not only matter of role in a system but a purpose of the particular type of user.
So there is a way to do it that way? Or maybe I need to host two separate app, which will be my authorization servers and resource server separately?

Related

OpenIdDict Multiple authorization servers can't decode the same access token

I'm working with a client that has a very strange network setup. Basically, they have multiple small segmented networks with their own clusters of servers because of several acquisitions, mergers, etc. It's a nightmare.
I've setup the authorization servers correctly and they're all running the same code but when I try to take my laptop from location to the other, I get logged out and have to log back in again. A lot of the employees travel between sites so getting logged out all the time is causing some grumbles.
The each instance of the APIs and Authorization servers are able to use the same database, but each site has it's own Authorization and Resource server.
What I've noticed is this:
If I stay in one place, my access/refresh token setup works great with no problems
If a travel to another site, the new sites authority server doesn't seem to be able to validate the access token and logs me out
There is one site with a load balancer that will log me out randomly as well as if I'm traveling between sites.
The app is built on .NET Core 2.2 and OpenIDDict 2.0. For budgetary reasons, upgrading either is not an option.
Is there anyway to configure a shared certificate or key so that all of the servers can decode the access tokens? Basically multiple authorization servers able to decode the access tokens generated by any of the other authorization servers?
I was able to figure it out. I had to change this:
services.AddDataProtection()
.PersistKeysToDbContext<DbContext>();
to this:
services.AddDataProtection()
.SetApplicationName("appName")
.ProtectKeysWithCertificate(MyX509Certificate2)
.PersistKeysToDbContext<DbContext>();

Can I use authentication across multiple services from one web application?

This seems like it would be a common scenario but I can't figure out how to get it work.
I have a Common Web Service located at origin 1. I want this to be common between multiple web applications. It has authentication turned on.
I then have Web Application located at origin 2. I want this web application to make some calls across to Common at origin 1 (via javascript)
These calls work fine if I turn off authentication for Common at origin 1. If I turn it on, it fails since the web application will not send the authentication cookie (or token?) across origins.
What is the correct way to architect this?
You want to look into what is called delegation. The scenario works like this:
User authenticates against AAD in your front-end app
A token gets issued that is valid for the front-end app and the backend-app (this is the delegation)
You use the token provided and forward it to the backend-app and issue the request on behalf of the user
How to set this scenario up is described here but you really do not need API Management in the middle. The reason for using APIM makes sense if you want to expose your API to the outside world too or have multiple APIs that need to act as one facade.

SSO SAML SP - How many websites to cover under one SP?

I'm attempting to implement a saml service provider, but i'm not sure what level of system to cover with a single SP.
What level of architecture per SP is considered good practice? Should we have one for our entire department, per server, per domain, per application pool or even for every site?
Our organisation has a shibboleth IDP and i'm using kentor authservices. Its working for one site but the sp is part of that site.
Assuming best practice is not one per-site if anyone has a hint on how best to approach making it more generic (i.e. one entityid for multiple sites) that would be appreciated.
Somehow you need to get the login information into each site/application. Either you use an SP per site (which is the Kentor.AuthServices approach) or you set up a Shibboleth SP proxy in front of the web apps. The latter means you have to add code to each site to parse the http headers that Shibboleth delivers. I don't like that approach - that's why I started the Kentor.AuthServices project.
So, my preference is to have make each site a proper SP through a module that is as native as possible for the web application framework. Modules that might be relevant are Kentor.AuthServices (.NET), SimpleSamlPhp, Spring (Java), saml2-js (node).
In the case that you organisation have multiple sites/applications that you want to federate with multiple upstream Identity Providers you will get NxM pairs of configuration, which is not scalable. An option in that case is to insert a SAML2 proxy that acts as Idp to your internal applications and as SP to the external Idps. New sites/applications only need to be configured in the proxy and new external Idps only need to be configured in the proxy.

Authentication against multiple identity providers using WSFederationAuthenticationModule for asp.net

We have multitenant asp.net MVC web site which supports multiple partners. Currently we are using forms authentication to authenticate users. Now some of the partners have asked for single sign on support with SAML.
I did quick POC to test it against “Thinktecture” identity provider. All I did was to install “Identity and access” extension for VS 2012 and configure the identity provider. I noticed that the extension added configuration settings like URL of the IP and realm in the web.config file. It also added “WSFederationAuthenticationModule” module to handle the authentication. This module was handling all the redirects and the validation of response behind the scene.
In my case since we will have multiple identity providers, depending upon the partner, I will be choosing the Identity provider. The URLs of the different IPs will be stored in the database. I cannot list all the IPs in web.config. Hence I need mechanism in which I can redirect user to appropriate IP URL and once the IP posts back the result, verify the result and retrieve user information through claims. I don’t want to do the XML parsing of the result and validate the response, but just want to call methods in “WSFederationAuthenticationModule” to do the heavy duty work. But I am not sure which methods will be useful for me. Can somebody help me out or list of the sequence of methods I need to execute to achieve this?
Take a look at my simple example
http://www.wiktorzychla.com/2014/11/simplest-saml11-federated-authentication.html
The trick is not to have the WSFam module in the pipleline but rather use its api to trigger redirects and consume responses. If you follow my code, you'll see there are two clauses
// wsfed response or not
if ( !fam.IsSignInResponse(...) )
// redirect to provider
else
// create local config and validate the incoming token
This simple example is perfectly suitable for multitenant scenario, in fact we use ws-fed daily in multitenant environment and most clients are based on this core approach.
Namely, creating the SecurityTokenHandlerConfiguration programatically in the branch that consumes the response gives you total control over how you validate tokens for different tenants.

SSO between 3 different Spring Web applications

Here is my situation:
Data Webapp: it's a third party webapp which shows to users some relevant data restricted by roles. It is developed using Spring but it uses tomcat digest for security and gets users and roles from a jndi resource. Nevertheless, I have the sourcecode and I can implement Spring Security on that.
Users & Roles manager Webapp: it's mine and manages a DB which contains users, roles, etc. It is developed in Spring (MVC, Security and so on). The DB is exposed as jndi resource in tomcat and the other apps takes the necessary data from that resource. I created this app because I want to be as less invasive as possible in #1.
REST service Webapp: it's mine and I use token auth in this one. Users sends user/password and credentials are verified getting the data from the jndi resource. It returns a valid token.
In #2 I have two types of authentication through the Spring form (User/password and Openid)
The first thing I came up with the #2 app could be like a CAS server because I use this only to add users, edit, set roles, remove groups,... but I don't know if makes sense having real implementations.
The second one is to deploy a real CAS server but I don't know if it is too much for two or three apps. I've read some posts about CAS, SAML, OAUTH2... but I have a little mixture..
Could you help me to decide which option is the most suitable? I want to share the same login page, to be able to log in through rest and not to see the login page each time I switch between the apps.
Thank you

Resources