I am developing an application in Oracle ADF that needs to apply a user login authentication.
The security protocol followed by the company is to read the username from the Windows Credentials and checking if that username exists in a certain database table. The applications that use this policy are usually JSP or .NET applications and do this by setting response.setHeader("WWW-Authenticate", "NTLM") which pops the authentication dialog then reads the username entered and calls an SQL query to check if that username exists in the database and checks the role.
I need to implement that in ADF and I cannot find a way to do so. All the information that I've found is regarding configuring realms in the WebLogic and using an SQLAuthenticate on the Weblogic server.
I tried putting the code in a managed bean using beforePhase on the view and it didn't work.
What can I do?
You have three ways in order to accomplish this (one of them will cost you money!)
Check this Question and this java library and create a Servlet for Authentication behavior, but this way you won't be able to make ADF Security works, and you have to implement Security yourself
Check this article and that article to enable Kerberos with Weblogic, and in your ADF application in web.xml make the security as CLIENT-CERT, if you managed to use that ADF Security should work fine
Consider using Oracle Single Sign On solution which will require you paying for license
PS: All this solution will only work on IE & Chrome out of the box, you will have to make some configurations to make it work with firefox,
Related
I have several client applications I want to put under Identity Server Authentication for which I'm using Duende IdentityServer. So, my Identity Server Project consists of the following.
Code blocks to configure the Identity Server
An ASP.NET MVC UI for Login, Error etc.
I want to keep the Identity Server and the Login application in separate projects. Here's what I'm trying to implement.
Identity Server Project : To have the Code blocks to check for the token and validate if it's a valid token.
If the token is invalid redirect to the Login Page in Login Application.
After a valid user log in success come back to the Identity Server, generate the token and maintain the token same as how the usual Identity Server works.
And with every request response the token will be validated by the Identity Server.
But I'm not sure whether it's possible or how to implement it.
Is there a way to separate the Identity Server and the Login Application in separate projects?
We are also evaluating the feasibility of having separate applications for UIs and for the rest of IdentityServer. Unfortunately, our conclusion so far is that IdentityServer doesn't support this scenario naturally. For example, the existence of IIdentityServerInteractionService suggests that interaction is designed to be used within the same application via dependency injection and a diagram on the documentation also suggest there is a single application - see link below.
I wouldn't say it unfeasible but we found few resources backing or supporting this scenario. Let us know if you find gold...
https://identityserver4.readthedocs.io/en/latest/topics/signin.html#login-workflow
I'm creating the user authentication in a web application, and I want to use Identity Server for resource protection.
The sample code and documentation shows how the user logs into Identity Server after creating an account for it. That is to say, they log in with their own Identity Server account. The quickstart even provides a UI.
But I don't want users of my application to have to log in to Identity Server, an external website. I want them to only have to log in to the web application.
So how to proceed? It just doesn't seem at all clear from the documentation how you're supposed to handle this scenario, which I would have thought would be the most common.
Do I just use a pre-defined API scope and user for token validation, holding for all the website's users? That doesn't seem to be very secure given that any user of the website or anyone with the client name and secret would have a valid token. Not sure what the point is in having the security if it's that easily worked around.
Or do I interact with my Identity Server instance somehow after the user is registered in the web application, and store the new user in a database? I can't find any mention of this in the documentation . It all seems to be very muddled to be honest.
Please could anybody shed light on some of this? What is the "standard" approach here? To have the user sign in to the external Identity Server website? That seems a great way to annoy your users.
If you only have one application and you don't intend to add more applications that needs to share users, then you should look at ASP.NET Core Identity
The whole point with OpenID-Connect/IdentityServer is to delegate the managing and handling of users/passwords (authentication) to a central entity. So individual applications don't need to deal with that complexity. IdentityServer is useful when you have multiple applications or if you have more complex integration needs. It is also perfect if you need to customize it to your own needs. If you don't need the customization part you can also outsource it to someone else like Auth0 that give you an IdentityServer like experience as a service.
I have a public-facing application that uses ASP.NET Core Identity to store first-party logins, and no intention of using third-party IdPs like Facebook or Google. I want to build the front-end in React, and the application comprises an API fronting a couple of back-end services to which I'll need to forward JWTs for authorisation.
The plan so far is to use Identity Server 4 as the IdP for the project, backing it into the ASP.NET Core Identity data stores.
Current guidance is to use Authorization Code Flow with PKCE, which would require redirection to the IdP, two sets of styling etc.
In this scenario, where there is no possibility of a third-party IdP, is Resource Owner Password Grant still highly discouraged? On the face of it, it gives a neater experience:
User populates React-based login page
XHR POST to IdP with credentials (modulo an MFA challenge)
IdP returns an access token, React app subsequently uses that for future requests to the API
What issues will I introduce by pursuing the ROPC grant in this specific situation, vs accepting the need and duplication involved in a redirect-based flow to the IdP?
AMOUNT OF WORK
This is one of the big issues. As well as a login screen you'll have to make sure other areas such as Forget Password also work. If you build a second app you'll need to make it work there also.
EXTENSIBILITY
This article summarises problem areas. One of these is no scope to ever extend login solutions.
SECURITY
Token refresh does not (usually) work with ROPG, which leads to long lived access tokens and other complexity. Also, with OAuth it is recommended that the app never sees credentials.
From a security viewpoint it looks more modern to redirect the user - all the big providers do it - eg Google, Microsoft.
BRIDGING SOLUTION
As you say, if the password is private to your app it may not be the worst thing in the world. Capturing a user's Google password in your app would be a bad thing though.
ROPG has its uses but does not have much of a future - it is deprecated in OAuth 2.1 and providers will be getting rid of it. So I would also recommend what LalitaCode suggests ..
You can create a React based Identity Server login page for Authorization Code flow with PKCE instead of using MVC UI if you want. It is just extra work and complicated. I would recommend you just style the Identity Server MVC UI to look exactly like your frontend SPA. This is the simplest way and the path I took when I did a project with Identity Server(with Angular as front end).
One of our clients requested that we integrate our system with ADFS (Active Directory Federation Services) while another requested that we integrate with Okta. They want the experience to go something like this: the end users opens up the Windows app (on their domain joined computer) and is able to use it right away with implicit authentication from one of those identity providers. No extra clicking or registration. I am willing to create multiple copies of the application integrated into these different identity providers if necessary.
Our current setup uses Node/Express as a backend (hosted on amazon web services) and all traffic is sent through this API. Our client interface is a wpf Windows application. This seems to be a less common setup. Currently, the user must sign up with an email and password, and must log in using that same email and password to start using the application.
There are 3 parts to this question that I'm super confused about (I'm an intern with limited knowledge, so please explain like I'm 5 if possible). On the other hand, I believe I have a solid understanding of how Single Sign On conceptually works (with us being the service provider and ADFS/Okta being the identity provider). Even if you can answer parts of these questions, I would be super grateful!
What (if anything) do I have to do to our API backend? I'm assuming everything just needs to be done through the windows client right? But then I saw a passport saml package but I'm unsure if I need it to complete this task.
What do I have to do to our frontend? I've tried one of auth0's sample windows application but it seems like everything is still going through a login screen. At least for any social media connection. We'd like to ideally do this without a login screen and hopefully without proprietary software like Auth0 (since we manage our own user database already). We just want something so that at startup of our wpf application, the application queries for user's information (through ADFS or Okta) and then all behind the scenes, the user is logged in automatically. Any pointers here?
What I do have to do on the 'main' active directory Windows server side (this would be on a client's enterprise network)? I've seen hints of setting up callback urls, certificates, metadata, and something, but I'm unsure of what all of that is. Lots of questions just reference that but don't explain what or why it's needed?
Lastly, I apologize if any of the questions are vague, I have tried to do research, but it just seems like all the pieces are either too advanced or just don't apply to my setup. Thank you for your time!
ADFS etc. rely on federation protocols like WS-Fed and SAML 2.0 and so the IDP behavior is determined by the protocol.
There is no browser based functionality to just log you in.
You will always be taken to an IDP login screen. Once you have authenticated, other applications on the same IDP won't require authentication. They can seamlessly log you in based on cookies.
You can't query for user info. until you know who the user is.
On the ADFS side, you can manually configure a RP (your app).
Currently have an client application running on GAE that supports OpenId login to access resources on a server application (also on GAE) through OAuth. All is fine.
But, it requires that the user have an account with Google, Yahoo, or other OpenId provider. While that seems fine for personal users, how do I handle the corporate case where users want to use myname#mycompany.com as their login?
Do I build my own OpenId provider, host it, and store those names/passwords in a database?
Is there existing OpenId source that I can use, but give it my own names/passwords?
Do I skip OpenId entirely and somehow get my own custom db lookup to integrate with GAE authentication?
Something complete different?
My work is in Java, so Java solutions are preferred. And since this is more for prototyping than for production use, easier solutions are preferred :).
After doing some additional research it seems that if I want to stick with my current use of Restlet's GAEAuthenticator then I will have to rely on OpenId. There appears to be ways to rewrite the entire authentication so that it works both with Google/OpenId and a custom database (not what I want to try), and there appear to be commercial products (SadaSystems) that seem to also do it.
For now, my workaround is to ask people who want to use their own email address in our system to sign up with MyOpenId and add that email address as their persona.