IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

WAAD SSO + Resource Owner flow #245

Closed panesofglass closed 11 years ago

panesofglass commented 11 years ago

I would like to support resource owner flow for a web application using IdSrv. We have a custom login page design that seems to require this. (Is it possible to just restyle the IdSrv page?) I also want to provide a SSO experience for one or more ADFS, at least one of which is hosted on Azure.

Do you have any samples that show how to mingle these? I haven't understood the differences in federation and ADFS integration.

I know it is possible I've either missed an article or am trying to do something that is too complex. If so, what will get me closest?

brockallen commented 11 years ago

If you're doing OAuth2 then you might want to consider switching to AuthorizationServer:

http://leastprivilege.com/2013/06/13/announcing-thinktecture-authorizationserver/

You could then use whatever authentication/federation solution you wanted.

panesofglass commented 11 years ago

I'm not sure how that helps me. I thought my question was directed at the authentication mechanism. In other words, how do I allow two different authN mechanisms that appear to work differently. Apologies that this wasn't clear.

I want to allow a SSO experience for those in Windows Azure AD and use a form to authenticate non-AD users. I want to obtain a JWT from both that will be used to authorize calls to Web APIs.

brockallen commented 11 years ago

Well, what I was suggesting was that if you needed OAuth2 resource owner flow then you might want to look into AuthorizationServer. It then defers the authentication to some external IdP and you could use IdentityServer as the IdP.

In any event -- IdentityServer supports federation to other IdPs. So you'd want to configure a identity provider for 1) WAAD and 2) IdentityServer itself. This requires the "Enable Federation" setting under WS-Fed protocol config.

leastprivilege commented 11 years ago

Does that make sense?

panesofglass commented 11 years ago

Not really. Authorization Server just confuses me more. Doesn't IdSrv already do authZ?

WAAD application integration would give me SSO, but everything would have to go through WAAD, which I don't want.

I need to use tokens, so ASP.NET membership is insufficient for portal auth, thus I still need IdSrv. Right? Or can I pass credentials to Authorization Server for that? I don't know where authN would fall in there.

I plan to follow your post to federate WAAD with IdSrv and then try to figure out what it means to add IdSrv as an IdP. The latter doesn't look complicated.

What am I missing? I still feel like I am looking at a mix of legos that should fit together, but I know longer have the box or instructions.

leastprivilege commented 11 years ago

http://leastprivilege.com/2013/06/16/relationship-between-identityserver-and-authorizationserver/

I guess the problem is - that I don''t understand your problem ;)

explain to me step by step

I would like to support resource owner flow for a web application using IdSrv. We have a custom login page design that seems to require this. (Is it possible to just restyle the IdSrv page?)

What does that mean? A login page takes username & password and contacts IdSrv programmatically to validate it?

I also want to provide a SSO experience for one or more ADFS, at least one of which is hosted on Azure.

Does that mean you want to add multple ADFS as identity provider to IdSrv? So users can sign in to relying parties registered in IdSrv?

These two requirements don't really fit together.

panesofglass commented 11 years ago

These two requirements don't really fit together.

Then that's my problem. :) Yes, I want to allow a login page to programmatically send credentials and retrieve a token. I also want to federate one or more ADFS as indentity providers to IdSrv.

What about these requirements don't fit? That is something I don't understand. Is there a way to alter what I want to do so that these can fit? In other words, could I use OAuth2 Implicit Flow to leverage IdSrv as an IdP alongside the federated ADFS?

leastprivilege commented 11 years ago

So -

Resource owner pwd flow: credentials in, token out. As simple as that. What are you planning to do with that token afterwards? I am confused.

Federation with ADFS - how are you planning to use that? For web SSO? Using WS-Federation?

Why do you need both?

panesofglass commented 11 years ago

Why do you need both?

The portal application exposes a front-end used by external users. The front-end shares services with CRM that both internal and external users will use. Internal users authenticate through WAAD. External users authenticate in the portal. What options do I have here?

Resource owner pwd flow: credentials in, token out. As simple as that. What are you planning to do with that token afterwards? I am confused.

The browser client retrieves the token (in JavaScript). We store the token and pass it along with every request to the services. This happens both on the portal and in CRM (web resources, though this uses the WAAD identity).

Federation with ADFS - how are you planning to use that? For web SSO? Using WS-Federation?

Yes, I'd like to use the ADFS for web SSO from CRM. I was planning on using WS-Federation. I thought I could use the ADFS Integration in IdSrv to convert the SAML token to JWT.

Thanks for sticking with me. I'm open to alternatives. I just don't know what the alternatives are. I also don't entirely follow how to separate authN and authZ. I know the conceptual separation but not the applied separation.

leastprivilege commented 11 years ago

Ok I get the RO flow scenario - our RO flow implementation only allows to use IdSrv accounts - not accounts from an identity provider (like WAAD) - is that OK?

The WS-Fed requirement looks OK too. Should work.

panesofglass commented 11 years ago

Ok I get the RO flow scenario - our RO flow implementation only allows to use IdSrv accounts - not accounts from an identity provider (like WAAD) - is that OK?

That's all I need.

The WS-Fed requirement looks OK too. Should work.

Excellent! Is my understanding of ADFS Integration correct, or do I just need to do the WS-Fed with WAAD?

Also, should I go ahead and add AuthorizationServer into the mix? If so, how? I'm on a tight deadline (Wednesday), so I'd prefer to delay unless it greatly simplifies things.

leastprivilege commented 11 years ago

Just federate with all the WAAD ADFSes etc... via the "identity provider" feature in the admin section

leastprivilege commented 11 years ago

Since WAAD is GA I have not tried to federate with it - things have changed from my blog post - for sure.

panesofglass commented 11 years ago

I've got ACS tied into my application. Now I'm trying to get Resource Owner Flow working. I feel as though I've wasted another day. The OAuth2Client throws an exception telling me that I received a 400. If I switch to using HttpClient, I get back an invalid_grant message. I think I've matched the sample shown in the Thinktecture.IdentityModel repo, but the constants used make it very difficult to see everything in one place. Do you happen to have a complete walk-through for how to set up everything?

leastprivilege commented 11 years ago

I still have the feeling you are doing something substantially wrong.

Why do you say ACS and the RO flow sample? How do you think the two work together?

leastprivilege commented 11 years ago

For a walkthrough see the identity model wiki.

https://github.com/thinktecture/Thinktecture.IdentityModel.45/wiki

(under Web API security sample)

panesofglass commented 11 years ago

I agree I think I'm doing something substantially wrong. I just added ACS as an Identity Provider. I have a client with code flow and implicit flow enabled. I went ahead and used the Identity and Access wizard, though I did not really want to. I was able to authenticate with IdSrv using implicit flow, but I did not get ACS as an option.

I can't understand what I've missed. This doesn't seem that difficult. What am I missing? At this point, I don't care how I get the pieces integrated, I just want something to work. Any help is appreciated.

leastprivilege commented 11 years ago

OK - I see. As I said earlier. We only implemented federated login (e.g. with ACS or a social provider) for WS-Federation - not for OAuth2.

It looks like you want to use OAuth2 to sign-in, but using a registered identity provider (instead of the IdSrv account database). That's not supported.

panesofglass commented 11 years ago

As I mentioned, I'm just trying to find anything that will work. I'm not married to OAuth, though I initially wanted to use JWT. Do you have any suggestions?

leastprivilege commented 11 years ago

You can use OAuth2, but the users need to be stored in IdSrv's database. Does that work for you?

panesofglass commented 11 years ago

No. My fundamental need is to accept both local identities (Forms Auth or IdSrv) and federated identities (ACS, WAAD). I wanted to stick to a token-based approach, but I can even break away from that approach if it turns out Forms Auth is part of the solution. (I realize my use of "local" and "federated" are inconsistent; that is just how I think of them with respect to the web application.)

panesofglass commented 11 years ago

Another, slightly related question: I can retrieve a token from IdSrv, but the token is rejected somewhere along the way. I used Thinktecture.IdentityModel to set the valid tokens, but it isn't letting my token through.

leastprivilege commented 11 years ago

Please keep the threads separate.

So our WS-Federation endpoints support federation, the OAuth2 ones don't. That's something we are looking into, but right now that's the way it is.

wrt to validation - then one of the 3 values (issuer, audience, signing material) does not match. Also I'd recommend using the latest version of tt.idm where we use the Microsoft JWT handler.

leastprivilege commented 11 years ago

I close this for now. Feel free to open a new thread.