Announcement Announcement Module
Collapse
No announcement yet.
SSO with OAuth 2.0 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSO with OAuth 2.0

    Hi there,

    My aim is to implement an SSO solution based on OAuth 2.0. The applications in question are written in nodejs and Java. The Java apps use Spring Security. The nodejs apps use passport, whose OAuth 2.0 support may be provided by the passport-oauth module.

    So far, I've got a working prototype of an authorization server, inspired by the OAuth 2.0 Spring Security sparklr sample. It can authenticate users and authorize its own resources. Now I need to implement single-sign-on across multiple applications.

    It can can be done, but I am still a bit sketchy on how it is going to pan out. I've found resources on the subject to be very sparse.

    Has anyone out there done this? If so, are you willing to share some general advice on the approach? Or point me towards some reading material I've missed?

    Please forgive me for being vague. That's where things are at right now.

    Thank you for your help.

    -C

  • #2
    The usual approach is to expose some user details via an OAuth2-protected endpoint (e.g. /userinfo, or /me in the case of Facebook), and then hook that up to your authentication provider on the client, and to use a session cookie (or similar) to maintain state between the user's browser and the auth server. We use the UAA for SSO in CloudFoundry, so it has a /userinfo endpoint (https://github.com/cloudfoundry/uaa/...oEndpoint.java) and some library support for client-side Java (https://github.com/cloudfoundry/uaa/...ity/uaa/client) and ruby (https://github.com/cloudfoundry/omniauth-uaa-oauth2) apps. There is also Spring Social and Scribe on the Java client end. People have also used node with passport I believe (https://cfnodelogger.cloudfoundry.com/).

    Comment


    • #3
      Dear Dave,

      Thank you so much for pointing me in the right direction.

      That is a great explanation. I will study the CloudFoundry examples you highlighted.

      All the best,
      -C


      Originally posted by Dave Syer View Post
      The usual approach is to expose some user details via an OAuth2-protected endpoint (e.g. /userinfo, or /me in the case of Facebook), and then hook that up to your authentication provider on the client, and to use a session cookie (or similar) to maintain state between the user's browser and the auth server. We use the UAA for SSO in CloudFoundry, so it has a /userinfo endpoint (https://github.com/cloudfoundry/uaa/...oEndpoint.java) and some library support for client-side Java (https://github.com/cloudfoundry/uaa/...ity/uaa/client) and ruby (https://github.com/cloudfoundry/omniauth-uaa-oauth2) apps. There is also Spring Social and Scribe on the Java client end. People have also used node with passport I believe (https://cfnodelogger.cloudfoundry.com/).

      Comment


      • #4
        Hi Dave,

        I'm coming back to this topic after working on some other things...

        Following the approach that you described, the SSO mechanism is working for a collection of nodejs applications (using passportjs). These applications maintain the login session with a shared cookie. Passport manages the session, so there is no sensitive information stored in the cookie.

        Now I have a new problem; the login session must be shared with a Java web application which does not have access to the same session store.

        Storing the access token in a cookie goes against recommendations in the OAuth 2.0 spec, which states:
        Don't store bearer tokens in cookies:
        Implementations MUST NOT store bearer tokens within cookies that can be sent in the clear (which is the default transmission mode for cookies). Implementations that do store bearer tokens in cookies MUST take precautions against cross-site request forgery.
        Do you, or does anyone else reading this, have some suggestions on how to securely retain authentication state across applications that do not share a session?

        Thank you,
        -Cailie

        Comment


        • #5
          Hi again Dave,

          I found your blog post on this topic, which has several recommendations at the bottom.

          http://blog.springsource.org/2011/11/30/10317/

          Thank you,
          -Cailie

          Comment


          • #6
            Normally the cookie that maintains SSO state is going to be with a single server (the auth server or a proxy for it), so it decides what the format of the cookie is (and doesn't put access tokens in it). I don't see what would be different about your use case. The node apps might have their own cookies, but they should have nothing to do with the auth server authentication state.

            Comment


            • #7
              Hi,


              [EDIT] : Added flow diagram for better comprehension.


              I have the same requirements for the SSO part.

              I have implemented OAuth2 servers :
              • 1 resource server (backend API), exposing business needs
              • 1 authorization server (Spring Security OAuth2) + authentication server (user db + login/register) exposing OAuth protected resources (/userinfo : current logged user)
              • 1 web server, who needs to retrieve data from /userinfo endpoint, to signin user (SSO client).
              These 3 "servers" (in fact, applications), are deployed in a single Tomcat server.

              The "client_credentials" flow is currently working between the webserver and the authorization/authentication server but it never retrieves the current Authentication (authenticated user into the authentication server).

              In order to complete my SSO implementation, how can I maintain the "session" between the two applications, to retrieve the right authentication (the user which is logged in) using client_credentials flow ?

              Once the SSO will work, I will encapsulate this logic in a Spring Security Filter, making requests to /userinfo endpoint, to authenticate user into other applications.

              Here is a diagram (could not upload this large picture here) : http://s16.postimg.org/w1sbkf98l/SSO_Login_flow.png


              Please forgive me for these bad explanations, also, I am available for any question.

              Thank you for your help.
              Last edited by Florian.Lopes; Apr 20th, 2014, 04:41 PM. Reason: Added flow diagram for better comprehension.

              Comment


              • #8
                Any information needed to understand my needs ?

                To resume, it's basically implementing OpenID Connect with OAuth2 client_credentials flow.

                Here is the diagram again : http://s16.postimg.org/w1sbkf98l/SSO_Login_flow.png


                Thank you in advance.

                Comment

                Working...
                X