Can anybody suggest me a good tutorial for handling user authentication and roles using AngularJS.
I just want to lock down certain areas of the site to certain users etc just like privileges.
I have googled but didn't find any tutorial speaks about it.
You should look at the angular-app project (more particularly its security module) : https://github.com/angular-app/angular-app/tree/master/client/src/common/security (which internally uses angular-http-auth module)
This module handles the authentication and securing of routes based on a two-level access : loggedin user and administrator. You can easily update code to handle more roles...
Related
I did dome research about WSO2 OIDC but what I found is rather than use my own login page I can only just customize the login page only
Is there any method to use my froundend page to let me have the full control of the layout
Contrary to what you have mentioned, you can actually modify the layout of the SSO page by tinkering with these two files:
https://github.com/wso2/identity-apps/blob/master/apps/authentication-portal/src/main/webapp/login.jsp
https://github.com/wso2/identity-apps/blob/master/apps/authentication-portal/src/main/webapp/basicauth.jsp
However, if you still insist on using your React app, you can use the password grant to build your own React-based login page. But there are several caveats:
You cannot use multi-factor authentication or social media login since the user is not going to be redirected to the identity server during the authentication process.
It should only be used with first-party applications that you trust.
It compromises the security of your application and it is not recommended to be used by OAuth 2.0
Personally, I would not want to use this grant but I wanted to let you know this option exists if you insist on handling authentication yourself.
Authentication endpoint (login portal) is tightly bound to Servlet technologies as of the latest release. You can find how to host it external on any servlet container (e.g. Tomcat) here
There is an improvements suggested to allow it to developed using any technology including ReactJs, exposing API set for authentication flow. However this has not been prioritised yet.
Hence you can use the existing Servlet/JSP way for your research. This may seem bit harder than using ReactJS, yet is the best way available at present.
I'm creating the user authentication in a web application, and I want to use Identity Server for resource protection.
The sample code and documentation shows how the user logs into Identity Server after creating an account for it. That is to say, they log in with their own Identity Server account. The quickstart even provides a UI.
But I don't want users of my application to have to log in to Identity Server, an external website. I want them to only have to log in to the web application.
So how to proceed? It just doesn't seem at all clear from the documentation how you're supposed to handle this scenario, which I would have thought would be the most common.
Do I just use a pre-defined API scope and user for token validation, holding for all the website's users? That doesn't seem to be very secure given that any user of the website or anyone with the client name and secret would have a valid token. Not sure what the point is in having the security if it's that easily worked around.
Or do I interact with my Identity Server instance somehow after the user is registered in the web application, and store the new user in a database? I can't find any mention of this in the documentation . It all seems to be very muddled to be honest.
Please could anybody shed light on some of this? What is the "standard" approach here? To have the user sign in to the external Identity Server website? That seems a great way to annoy your users.
If you only have one application and you don't intend to add more applications that needs to share users, then you should look at ASP.NET Core Identity
The whole point with OpenID-Connect/IdentityServer is to delegate the managing and handling of users/passwords (authentication) to a central entity. So individual applications don't need to deal with that complexity. IdentityServer is useful when you have multiple applications or if you have more complex integration needs. It is also perfect if you need to customize it to your own needs. If you don't need the customization part you can also outsource it to someone else like Auth0 that give you an IdentityServer like experience as a service.
I am developing a web app in Spring MVC. I want to ask about solution guide lines for following problem:
Users get registered
Each user has different level of access levels and also some users have completely different level of form to work with.
I want to make the view appropriate to user login. He only see that form of views that are authorized to him and We can set the user access level of different views from admin panel.
Should i use database tables for controlling this.?
You must implement a part that manage user authentification and access for this i recommend you to use the framework Spring security.
Here is some documentation and exemple that can help you :
http://websystique.com/spring-security-tutorial/
I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.
I'm trying to implement IdentityServer3 into my architectural mix. I like the idea of registering Clients, Users, and Scopes. What I do not like is using IdentityServer3's built in login and registration forms.
I have 4 different apps that need to use my IdentityServer3 implementation (aka TokenServer). These 4 apps are AngularJs apps. I have various C# .Net WebAPI services supplying data to these 4 apps. Right now each of these 4 apps have their own authentication and registration process. I need to consolidate authentication piece using IdentityServer3.
Each of these 4 apps have different account registration/authentication needs. There's a mix bag of 3rd party authentication (Facebook, Google) as well as traditional forms authentication against an account the user has registered with.
So, I cannot have any of my AngularJs apps use the default Login/Registration forms that come with IdentityServer3. I've spent a lot of time now trying to find a way to turn off the default views and just wire each of my AngularJs apps to my TokenServer. I simply want to POST login credentials to the /token endpoint and return a token that can be used in subsequent calls to my WebAPI. I want to replace the authentication process I have for each app with IdentityServer3 without changing the existing login/registration UIs.
I cannot find a sample app or even documentation that shows how to do this. Is it even possible to 'turn off' every one of IdentityServer3's UI views and use my AngularJs client's login and registration forms?
Please point me in the right direction. Thanks for your time.
It seems you want to use the OAuth 2.0 resource owner flow - which means - your app posts credentials to the token endpoint and gets back an access token. That is totally possible - you will miss out on some features like federation and SSO. But these are the known constraints of this flow.
If you want to use a redirect based flow (which gives you SSO and e.g. Google logins etc) - you need to redirect. You can replace any of the IdentityServer views with your own. The documentation and samples have plenty of information how to do that.
https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomViewService