WSO2 SSO with SAML 2 - Front End React.js (REDUX), SPRINGBOOT backend - reactjs

I need to integrate a client application written with react and redux (spring boot backend) with WSO2 Single Sign-On (SAML 2.0) IDP
Do I need to make use of few node.js based packages such as "passport-saml" etc to achieve single sign-on with wso2 IDP?
Appreciate if you could share your thoughts/expertise/any reference links.
Thanks.

You can use OpenSAML(no longer maintained though) or a similar Java SAML assertion library for this.
Passport-js is specifically designed to work with nodejs. One way u could make use of passportJs is by implementing the authentication and authorization business logic of the application as a NodeJs based micro-service. AFAIK WSO2 IS works perfectly with passport-js.

Related

Does anyone know how to set up OpenIdConnect Auth using Azure Active Directory and React SPA without storing access token in the broswer

I am trying to build an app where users can sign in using their work Microsoft account through open id connect. All of the documentation on Microsoft seems to suggest that for React/SPA apps you should use the MSAL library to authenticate users but this seems to cache the access tokens directly in the brower through session storage. To my knowledge this is bad practise and a backend for frontend approach should be used for this scenario instead where the access token is stored in a HTTP secure cookie.
Does anyone know how to do a backend for frontend type approach using Azure Active Directory? Is there support for this using Microsoft Api's or do I have to just write the code from scratch?
Thanks for any help
You need to use a server side solution to issue application level secure cookies. It is not specific to Azure AD.
The Duende BFF solution is .NET based, and uses the web host, eg https://www.example.com, to issue cookies. See this code example and the docs.
It is also possible to issue cookies via a utility API that runs in a sibling domain of the SPA, eg https://api.example.com. This is a little more complex, but provides options such as deploying the SPA to a content delivery network - see this code example.

Change ReactJS Okta Authentication from OAuth 2.0 to SAML 2.0

I have my ReactJs application and I'm authenticating the users using Okta React SDK (https://github.com/okta/okta-react). This SDK is using OpenID and OAuth 2.0 to authenticate users. Now, I want to change the authentication flow from (OAuth 2.0) to (SAML 2.0) in my react application. So that user would authenticate from Okta using SAML2.0 flow instead of OAuth2.0.
For the backend, I’m using ruby on rails. I have gone through a number of blogs and documents But, looks like I am unable to find a way or examples where I get some help.
Is this possible, what I’m trying to achieve ?.
Looking forward to you guys, I’m really stuck in it.
The usual solution is in 2 layers:
Your React app uses Open Id Connect and you receive tokens with which APIs can be called. The code and tokens involved are JavaScript friendly.
Multiple login types can be supported - if you need to do a SAML login you configure Okta accordingly but do not need to change code in your UIs and APIs. You will want to avoid coding SAML yourself since it is not a web friendly technology.
So the direction should be to point Okta to a SAML identity provider and perform a federated login. If useful my blog post has further info on the general approach.

SAML with ADFS for angularjs+java+jetty webapp

I am working on a webapp, the Front-end is implemented in AngularJS which talks to back-end server by invoking REST API. The back-end is Java REST Server implemented using reslet framework deployed in Jetty.
Currently, when a user logs into a web app, a REST API is invoked which then goes to the Java REST server. The server then authenticates the user.
I want to implement SSO using SAML. So when a corporate user tries to login to the app, the user must be redirected to ADFS. If the user is successfully authenticated he must be allowed to login to the app.
I want to know how do I start? I have seen sam2-js library, however it seems to be for NodeJS based server. I am not quite sure if it can be used with AngularJS on frontend.
SSO with SAML involves browser redirects so the flow is between angular and ADFS.
There's no Java backend.
So Jetty is irrelevant.
SSO has nothing to do with REST. They are two different flows handled in two different ways.
SAML is not a suitable SSO protocol for angular. That's why you can't find any examples.
You need to use OpenID Connect with ADFS 4.0. ADAL is the way to go.

What is the best way to secure a mobile application and a Microservices backend archtiecture

I am currently working on a mobile application that will allow a user to sign in via username/password (OAuth 2.0 Password Grant), Facebook, Twitter, or Google. The backend for this mobile application is coded in Spring Boot/Cloud (Java) and makes use of Microservices principles. I have several small services that are discoverable via Eureka and make use of Spring Cloud Config for centralized configuration. They are all exposed to the Mobile device using Spring Cloud Zuul, which acts as a reverse proxy. The Spring Security OAuth 2.0 setup that I have takes in the username and password then returns a JWT token, this token is validated every time a request is made to the backend. I also store users locally in MongoDB and make use of Method Level Security. I want to add Social Login to my application and have it do the following:
On the Mobile Device do the OAuth dance and get an access token
Send the access token to the server, and using Spring Social create a new User locally and associate it to Facebook/Twitter/Google, and then return a JWT token that can be used to validate requests
This JWT token should be created by Spring Security, and I should still be able to use Method Level Security and have local users
Basically I want all the features I have with my custom Spring Security OAuth 2.0 Password Grant with Social Login
This is my first attempt in architecting a system, and therefore am looking forward to responses from those with much more experience than I have. I have seen many examples that use Spring Social, but all of them are for Web Apps, not for Mobile, this is where I am currently stuck at.
The questions I have are the following:
Is my suggested approach adequate? Are there other approaches that are stateless and better for mobile applications?
Is Spring Security OAuth 2.0 and Spring Social Security enough to accomplish this? If so, are there resources that I can use? I have not found many online.
Could Spring Cloud Security be used as a solution?
Should I consider using a 3rd Party provider for Authentication such as Auth0 or OKTA?
using OAuth2 for a stateless solution is in my opionion adequate, because of:
oauth2 in general is a protocol designed to be usable in every client, which is able to perform http requests. Since the social nets you mentioned all support OAuth2. If everything goes bad, you still can consume them manually respecting the oauth2 specs, which they implement.
in general I see a problem with "authenticate with XXX and use that token as JWT for my requests". This is not directly possible, because that token is for their resource servers. Instead you need to separate 2 processes: authentication and authorization. In short you can use the socials endpoints to authenticate a user in your backend, which leads to a second oauth2 generation from your authorization server. This can create a JWT using all features from spring-oauth.
This libary should used in addition, since it helps to setup a application wide security solution. As example, you keep an own authorizationserver (which authenticates using social login) and several resource servers. spring-cloud-security helps to build things on top of that, as Zuul SSO, hystrix+ribbon powered feign clients respecting oauth2 authentications and so on
I don't thing this will help you, because those services primary serve you as an identity provider, while you are going to couple your users identity over social networks
I hope I could clarify your question in some way
I have achieved it by referring two spring example applications. Check this
steps, you will be able to achieve social sso login with Zuul, Auth-server and multiple back-end REST projects.

Spring security oauth2 for mobile

I am planning authentication solution and trying to figure out which approach would be the best.
The system is mobile app (client application) and web platform with REST api.
The approach is to use token based authentication. My first try was Spring with its integration for OAuth2. However, it seems that Spring Security OAuth2 doesn't support token authentication without adding client credentials (which is still valid flow according OAuth spec, imho). In my case it is redundant to generate client credentials as mobile app is an integral part of the system. The desired flow should look like that :
Token authentication sketch
Is it good idea to use Spring Security OAuth2 in this specific case? Is it possible to limit it smoothly only to this functionality without boilerplate code? Maybe it is good to implement this endpoint without OAuth2 module and use pure Spring Security?
Thanks in advance for any insights :)

Resources