Collaborate Disseminate
I am working on developing a REST API that will be used by first party clients that we develop, and third party clients in the future. The first party clients include a SPA client side application, and programs that run on c… Continue reading Securing a multi-tenant API with SSO and different roles per tenant
I am developing an application for which I would need the user to publicly sign a document : Making a public proof that he approves it.
I want this feature to be super user-friendly and not to require any knowledge about cr… Continue reading Using OpenId provider to digitally sign documents
I am learning about the Thinktecture Identity Server v2 and considering deploying it as a single sign on solution for 3 to 4 apps/services our company is developing for our customers. The applications use a mix of ASP.NET for… Continue reading Does Thinktecture V2 Require Round Trips on Requests
I need to implement a web-based authentication protocol so users I know can be given access to a third-party web application. I will work with the developers of that web application to implement both sides, since they currently do not support authentication delegation.
At first, I thought I would implement an OpenID 2.0 IdP, since I thing the protocol is simple and well-designed. But the other developer feels concerned that OpenID 2.0 is considered obsolete, and thinks we should rather use the newer OpenID Connect…
Given that we have no need for authorization delegation that OAuth might provide, OpenID Connect looks bloated to me.
So, should I consider it is dangerous to deploy the obsolete OpenID 2.0 now and choose OpenID Connect or should I insist on using the older and simpler OpenID 2.0 protocol?
And if I should choose OpenID Connect, is there a good reason not to use the implicit flow (with “response_mode” set to “query”)? I’d rather avoid the extra server-to-server round-trip that looks useless to me, for a protocol that only provides identity…
I have read the details of pure JSON web token (JWT), and found that it is signed (e.g. by SHA256) but not encrypted. Hence, attack can read the sensitive information by decoding the header and payload.
I am not very familia… Continue reading Is JSON web token further secured in OpenID, and how?
I have read the details of pure JSON web token (JWT), and found that it is signed (e.g. by SHA256) but not encrypted. Hence, attack can read the sensitive information by decoding the header and payload.
I am not very familia… Continue reading Is JSON web token further secured in OpenID, and how?
Unlike WS-Federation/WS-Trust metadata, the OpenID discovery endpoint is not signed. This results in a number of threats that are possible on this endpoint.
Is there any justification in not signing this endpoint? Is there … Continue reading Is there any reason the Well-Known OpenID discovery endpoint is not signed?
Since OpenID Connect builds on OAuth 2.0, I am assuming that everything that is possible with OAuth 2.0 is also possible with OpenID Connect.
In particular, say that my website stores some information that belongs to the use… Continue reading Any scenario for using both, OpenID Connect and OAuth 2.0?
We run a large distributed system consisting of a number (>10) of Django-based web services and web applications with a consumer base of about 10000 university students. Currently, we use a single single-sign-on system (Shibboleth) provided by our university to handle authentication. Authorization/roles are manually configured per-user at each web service. Our current architecture is shown below:
We would like to extend our system to allow logins using Google, Facebook, LinkedIn and other universities. It seems like we need a middleware that is in charge of authentication and role management. Roles are frequently created and cannot be statically defined. The middleware should also perform session management (like handling timeouts, single log-out). We picture something like the following:
What components would we need in this middleware? Our sysadmin is considering Gluu or Keycloak along with an AD service. Would either of these solutions meet our requirements? Are there any best practices or vulnerability/configuration checklists for such systems?
We run a large distributed system consisting of a number (>10) of Django-based web services and web applications with a consumer base of about 10000 university students. Currently, we use a single single-sign-on system (Shibboleth) provided by our university to handle authentication. Authorization/roles are manually configured per-user at each web service. Our current architecture is shown below:
We would like to extend our system to allow logins using Google, Facebook, LinkedIn and other universities. It seems like we need a middleware that is in charge of authentication and role management. Roles are frequently created and cannot be statically defined. The middleware should also perform session management (like handling timeouts, single log-out). We picture something like the following:
What components would we need in this middleware? Our sysadmin is considering Gluu or Keycloak along with an AD service. Would either of these solutions meet our requirements? Are there any best practices or vulnerability/configuration checklists for such systems?