I am trying to do some research into potentially setting up an existing Drupal site with user accounts/login page to also be an OAuth service provider, basically authenticating users to make calls with a web service. I am looking for a Drupal module which will give this functionality. Most of what I run into are OAuth consumer modules, which is not what I want in this case.
I've found a few modules which I think might do this for me, but the module descriptions are generally pretty vague and don't have much of a user base which doesn't inspire much confidence.
Has anyone else done this before? What are the best modules available for doing this?
As of now, you should be using "services", version 3.x, and "oauth". You won't want to use any of the other modules. They are not compatible with the latest services and oauth modules.
For OAuth2, there's OAuth2 Server. OAuth is for OAuth1.
The corresponding client for OAuth2 is OAuth2 Client.
After several days of research I was able to find a few modules which help with this. Namely, Services http://drupal.org/project/services and it's accompanying OAuth authentication module http://drupal.org/project/services_oauth.
Both of these have several dependencies as well. Once configured you can authenticate users on third party sites using OAuth. Supposedly, this exposes a whole Drupal API web service, but I am yet to get that to work successfully.
Related
Note: Just learning Identity so please bear with me. We are developing a Web API for use by apps that we build and apps built by our clients. I have the local engine working the way I want so that any "client" app could use our API to login in.
What I cannot seem to get to work is external login providers without being presented with a login page. Is it possible to converse with them in API only mode or is this type of setup out of the question? What I don't want our client's apps to have to do is know how to manage the logins to use our API.
I know this may be similar to a few other questions out there but I do not see one with our particular need.
Thanks,
Paul Speranza
If your api needs to have authentication in place then you would need some kind of registering done by the consumers of your api. But you could provide seamless ways to integrate login by not providing any additional form requirements from the client application. Popular login methods today are using social networks. Web api does support out of the box support for integrating with the social networks.
You can find a sample for using facebook authentication here
We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian
I have been researching for a while now about how to implement an OAuth provider to secure my web api, but without good results.
For what I've seen so far, apparently there are only three libraries to develop an OAuth provider in .net:
1- DotNetOpenAuth
2- DevDefined
3- OAuth.net from madgex
madgex doesn't have any documentation for providers at all, at leats I haven't found anything, same with DevDefined, well, the last one has some documentation, but it lacks samples.
DotnetOpenAuth I think is the one most developers use, but I'm having a hard time to understand its samples, and documentation is terrible.
Has anybody implemented any of these libraries to write an Oauth PROVIDER, NOT CONSUMER, or anyone knows where I can find a decent documentation fro any of these.
For the record im trying to develop a 3-legged oauth provider.
Can anybody help me out here??
Have you checked out this project template, which although it's MVC 2 should provide some useful ideas for doing it in MVC 3:
http://visualstudiogallery.msdn.microsoft.com/81153747-70d7-477b-b85a-0374e7edabef
Then there is the OAuthServiceProvider sample that comes with DotNetOpenAuth, which is WebForms but the principles are mostly the same.
A good sample of DotNetOpenAuth implementation could be found here Releasing an ASP.NET MVC 3 OpenId StarterKit under Open Source License
Project url: http://mvcopenid.codeplex.com/
It should be good for you to start with.
UPDATE
By the way in ASP.NET MVC 4 third party auth providers it is out of the box.
I have followed the steps mentioned at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios to implement an OAuth 2.0 authorization service.
I have used the below link to create security certificates:
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
Don't forget to change your solution to use the thumbprints from the certificates created by you.
This is the best place to understand the OAuth 2 protocol:
https://www.rfc-editor.org/rfc/rfc6749
I have 3 websites, and all my sites are using a common database. I want to have a single login control for all my sites.
I am thinking about having a solution using webservices, can anyone share if you can suggest me any other better solution?
All my sites are developed with ASP.NET technology.
You may think aobut OpenID login system as it is with StackExchange sites. And of course the web-service is the better solution to design a single sign-in authentication & authorization.
You might want to check out OpenID, or consider letting users log in with Facebook or other services, like the Stack Exchange network does.
EDIT: if you don't want to use a third-party service, you can deploy an OAuth provider then. Notice that OAuth is a standard, not a service, like OpenID or Facebook Auth or similar solutions. It just saves you the hassle of actually designing the authentication process. You might be interested in the code section of the OAuth site, as it contains open-source implementations in ASP.net.
I've got a requirement that a ASP.NET web app use Shibboleth for the authentication. Has anyone done this before? Are there libraries out there to support the method calls? Or is this a Java only thing?
It's definitely not a Java-only thing, there's an Apache module available for download on the Shibboleth site.
I don't know if there's anything specific for .NET.
We implemented Shibboleth a while back and we originally tried to use the Java solutions - it was a nightmare. The java apps were badly-written, buggy and badly documented. It was hassle after hassle and we eventually decided to use the Apache module on a dedicated server and forward successfully authenticated users onto our Tomcat app.
The Apache module was a breeze to setup, configure and get working.
Don't know if you've already realised but the Shib documentation and website are incredibly hard to navigate - it's a fight to find any useful information. I did go and look for a .NET implementation on there but gave up!
If our Java experiences are anything to go by I would seriously suggest setting up an Apache server with the Shibboleth module installed and saving yourself a world of pain.
This is a good site for testing your Shibboleth install once you have it set up: http://www.testshib.org/testshib-two/index.jsp
If you do find a good .NET solution then I'd be very interested to hear about it. Good luck!
I know this is a really old question, but I thought I might be able to do a bit better expanding for those who are finding the answers from Google.
As recommended above, you really want to configure your web server to load a module. The hard part of shibboleth is the configuration file, but assuming some one else in your organization has utilized shibboleth you can use theirs as a template and its fairly easy.
For .NET based authentication, you'll need to configure Shibboleth in IIS. The default configuration for IIS creates a directory called /secure, and anything put under there will require shibboleth authentication (i.e. it will redirect to the identity provider). You can configure it to cover other directories or even do lazy authentication.
Once you have the authentication piece in place, you can check headers to "read" the information the identity provider is passing to you. IIS handles things a bit differently then Apache, but its still pretty easy. If you just want username you could use HTTP_REMOTEUSER although there could be better options; i.e. Ohio State University recommends using the eduPersonPrincipalName.
As MatthewMartin says Shibboleth is just a SAML server, Windows Identity Foundation supports SAML as explained in this blog post.