Need some clarification

By: Daniel Prince user 14 Feb 2016 at 9:48 p.m. CST

3 Responses
Daniel Prince gravatar
I'm having a really hard time wrapping my head around Identify management these days. I've spent the last week reading RFCs on Oauth2.0, OpenID Connect and UMA but I'm still confused if this is the technology I should be using. My goal is to provide a set of API that all lead back to a centralized Authn/Authz Server. Most of my apps are written in python using pyramid but I have a few that are in Perl and use Catalyst. I first attempted to write my own Auth server but got overcome by the specifications, So I went on looking for premade solutions/libraries. Which is where I ran into Gluu. Gluu seems to be what I'm looking for but I'm puzzled if this is correct direction. I have 3 API services that need to authn/authz to an centralized point. I have successfully obtained a token using grant_type code and implicit. But the problem I'm having is with the Resource Server validating the token. I guess I'm confused at what the proper way to do this is. My client application passes a token to the resource server but the resource server doesn't seem to have a way to authenticate that the token is correct or what access the user using the token is allowed to access. This is where I ran into UMA. UMA seems to be the direction I want to go but the implementation details are very confusing to me. I can't figure out if UMA is meant for services that allow multiple auth servers to authn/authz against or if it's meant standardize the way resource servers validate tokens. Basically I'm looking for a standardized way to validate tokens and validate permissions to access a resource on an api server. Is UMA the correct direction? If UMA is the correct direction is there any documentation that can help guide me in resource service token validation? Lets say I have 3 users A,B and C. User A has Admin rights and can access all api calls. User B has read rights to only resources that are in the same Group as the user. User C has Read/Write access to only select resources in it's Group. Does UMA help in this instance? Thanks in Advance!
None
closed

Answers

By Aliaksandr Samuseu staff 15 Feb 2016 at 9:18 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Daniel. In a nutshell, Oauth is a way to delegate rights to access some personal/restricted data/functionality to some 3rd party (usually known beforehand) service on the Internet. And OpenID is extension to Oauth that just creates an additional special type of that data, a new scope called "openid" (and possibly a lot of other scopes designed to be associated with different kinds of identity attributes, too) and a new token called "id_token". So both were not quite designed to provide a totally independent autn/authz framework able to serve requests from a wide variety of users. In your case, you could use OpenID for authentication, sending new user to Gluu and using a wide variety of authentication options it can handle, and then, after they've returned back to your web server hosting these APIs you want to protect with acquired id_token, process the token (+mb request more info about a user) and employ some kind of authorization you will implement by yourself. Or you could go for UMA and completely "outsource" both authn and authz functionality to Gluu. Whichever way you'll choose is up to you.

By Aliaksandr Samuseu staff 15 Feb 2016 at 9:26 a.m. CST

Copy
Aliaksandr Samuseu gravatar
> and employ some kind of authorization you will implement by yourself Regarding that part - that doesn't mean you will need to code it. There are ready to use OpenID Relying Parties for most well-known web servers, and such bundle can already provide you some basic authorization functions too. Though it's hard to say how well such limited autz options will suite your case.

By Daniel Prince user 15 Feb 2016 at 10:26 a.m. CST

Copy
Daniel Prince gravatar
Thank you! This helps to split these two processes out. In the first case, how would a resource server validate that a token was indeed issued by the Auth server? My understanding is a RP is an Oauth2 Client. How I envision the flow: AuthSrv <--- API Servers (Resource Server) ^ /\ | / | / AngualarJS App(Client) 1. Register API servers against Auth server using Client Credentials 2. Register Client against Auth server using implicit 3. User attempts to run client application but it redirected to the auth server for Authn 4. User successfully logs in and is redirected to client app with access_token and id_token. This is where I get confused: 5. The client obtains some user information from the id_token and can obtain all of it through the authservers /userinfo by sending the access_token 6. The client sends the access_token to the API Servers to obtain application data. 7. API Servers gets the access_token and somehow validates it. How should the API servers validate the token and verify the user has the proper permissions to access the data? Coming up with my own way to authz the token seems odd because I can't add new endpoints to the gluu server. If I was developing my own auth serv this would make sense but I'm not. 8. API Server returns application data requested.

Post an answer