I want to build a PHP web app where users can log in with Facebook, Google, twitter or any other possible server and engage in some activities like voting and commenting. I won't be using any of the user's data from the service provider. So which one is better option OpenId or OAuth? or should I try implementing with the API of each provider?
I would recommend OpenID Connect.
Too many websites have an OAuth2 authentication API. For a list of the more major sites, see:
http://www.gluu.co/oauth-pocket-reference
This is simply un-tenable for web developers. OpenID Connect went final in Feb 2014. Google support it. Any other domain on the Internet that supports it could be supported automatically (i.e. as long as their domain supports OpenID Connect Discovery... publication of their endpoints at /.well-known/openid-configuration
NRI has an open source PHP OpenID Connect library: http://www.gluu.co/oidc-php-rp
If you support these legacy, proprietary consumer IDPs, it will be a pain in the neck as they slowly fall out of favor.
You may also look at a higher level interface like everyauth.com
Related
Im trying to use ADFS for SSO on a project. The project is on PHP and Im trying to use OAuth for this.
So what are the steps for setting up ADFS to work with OAuth2? I have no idea about ADFS and cant get any direct guide on OAuth2 settings there.
Thanks a lot.
I see that the question is quite old. But in case if other people will
get here, I have some answer which should be good for March 2019.
Let me start with a general overview.
SSO
SSO could be done with personal Google, Facebook, GitHub, Twitter, Microsoft accounts. After logging in to your account, you can log in to other systems (e.g. WordPress or any other) without password (if other systems integrated with that Identity Provider) and you give the consent (see picture below).
There are services whose main focus is to provide Identity Provider / SSO capabilities (e.g. Okta, Auth0, Google Cloud Identity, Azure Active Directory, AWS IAM).
In the corporate network, the user could be silently signed in based on the AD account without entering credentials via ADFS.
Actually, ADFS supports different authentication protocols like SAML, WS-Fed, and OAuth. But nowadays usually services implement OpenID Connect which works on top of the OAuth 2.0 protocol.
OpenID Connect flows
There is a number of authentication flows that OpenID Connect defines.
Most preferable ones are:
Authorization Code Flow with PKCE (single-page applications, native applications)
If you are using oidc-client-js, you should use response_type=code to use PKCE.
Public native app clients MUST implement the Proof Key for Code Exchange (PKCE RFC7636])
https://www.rfc-editor.org/rfc/rfc8252#section-6
Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1.1
Implicit flow considered as Not recommended:
Clients SHOULD NOT use the implicit grant and any other response type causing the authorization server to issue an access token in the authorization response
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-09
Client credentials flow. For service-to-service communication.
How to configure ADFS?
You can find quite detailed documentation with illustrations for "Native app scenario" at Microsoft Docs: Native client with ADFS.
If you are not using ADFS, you can play with the PKCE flow setup in the playground.
JavaScript frontend
Never store client secrets in public applications like JS frontend or mobile apps. It's not applicable to PKCE flow but just in case.
If you have a modern SPA application (e.g. Angular or React), it means that frontend should have only client_id to enable end-user to obtain the JWT access_token in a browser via ADFS. You don't need any client_secret.
oidc-client-js could help you with that. Make sure that code_verifier is being sent along with a token request (it means that you are using more secured PKCE flow).
PHP backend
And on PHP side you'll need to validate the access token. You can implement the workflow on your own according to that article. But it's better to use OpenID certified library which you can find on this page (not only for PHP):
https://openid.net/developers/certified/
So, for PHP there is only one: phpOIDC.
Authentication
OAuth 2.0 can help you only with authentication (to identify the user's identity).
Most probably you would like to have different permissions for different users. And OpenID Connect implementation in ADFS provides you the ability to map AD groups to token claims. Therefore, you can decode JWT access token on the backend and implement claims-based authorization.
To use JWT claims be sure to properly validate the authenticity of the token and issuer:
Validate JWT signature using public key
Check issuer for the proper issuer (Identity Provider)
Check aud (audience) for the proper client ID
Check exp (expiration timestamp)
Check claims
At my company we use Google Apps.
I've written a dashboard application (PHP/Laravel) which is used throughout the organization. It has a custom authentication system, but I'd like to integrate it with other services we use.
The basic use case that I'm interested in is something like this: you come in to the office in the morning, sign in to your email, and you're automatically signed in to the dashboard.
I've been looking at OAuth & reading about how to implement it, but it's not clear to me that it will do what I want.
So the basic question is this: what can Google OAuth do for me?
You can use Google+ Signin which is an OpenID Connect compliant SSO mechanism built on top of OAuth. By extending your applications with OpenID Connect Resouce Provider (RP) functionality and pointing them to Google as the Provider (OP) you would achieve SSO across your applications.
For a list of OpenID Connect RP libraries/implementations that you may leverage for your applications, see: http://openid.net/developers/libraries/
I'm writing an Android app that will require folks to identify themselves. We figured that the best course of action is to NOT have folks register with our server since practically everybody has an account somewhere else with a major service (Google, Twitter, Facebook, Yahoo! for example).
The REST API is being built around CakePHP. This in itself isn't a sticking point for what I need, but the issue is more on the Android app along with its communication to our API. Essentially what I'd like to see is a user with X number of devices having the ability to login to a service they already have access to.
This identity would then be known by our server as an identity for that user. My app would then need a way to tell our API that "I am John Doe from service example.com, and here's proof". The servers would also accept a new device for the same identity and tie it in to that user.
I am stuck on some issues here:
OpenID seems to be the way to go (though I'm not sure if Twitter supports OpenID). But how can I do OpenID from my device? I don't need somebody to point me to OpenID for Java. This is NOT 100% of the answer I am looking for. Where is the website going to redirect to?
What will the authentication piece be like between my webserver and Android app? I'm not logging in. I'm using an OpenID. Should I just take some/all of the OpenID information and pass it to the webserver for storage, and then pass it again to check against for every API call?
Twitter not only does OpenID, but they also have a dedicated page talking about what the flow is and what you need to store. Google has a similar page for their login. The OpenID login flows are (for the most part) OAuth2.
Is it possible to use Google Apps as the identity provider in a SAML SSO set up? I was planning on using simpleSAML.php and I know you can build in authentication modules but I wondered if it was possible to build an authentication module using Google as the identity provider via the provisioning API?
We are going to be deploying Chromebooks - and they don't yet integrate with SSO, only with the main Google Apps user list. So rather than work of something like Ping Identity, it would be better just to use Google Apps as our identity provider to authenticate our other web apps.
Hope that makes sense.
YES, since a few months ago. It is actually pretty simple. You can follow this two links for current info:
https://support.google.com/a/answer/6087519?hl=en
https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/
Google (Apps) accounts can be used as an OpenID identity provider. By implementing your app as as a relying party, you could authenticate your users based on their Google accounts. Much like stackoverlow Google login:
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
With SAML SSO, Google acts as a relying party. While its possible to use provisioning API and clientLogin, this is not supported and is possibly against Google Apps ToS,
No, you cannot use Google as a SAML Identity Provider, only as the Service Provider.
(as per response from #jukka-dahlbom)
I have a PHP application that will be accessed by users who are already
signed into Google ( the app runs in an iFrame on a Google Site that
requires Google login)
What is the best SSO approach that uses Google login, so users have
the same identity in both places?
Best to use a some OpenID opensource? .. zend/cake/symf plugin?
GoogleApps infrastructure? .. or a identity service like Janrain?
Is it too early to go with OpenID Connect? etc.
Thanks much.
OpenID works well - and indeed, is good enough for StackOverflow - you probably used it to register your account here.
There's an article called Getting Started with OpenID. Although it's on Zend's website, it doesn't seem to be tied to the Zend framework, so is a good starting point. It covers all the modules you need to download, and includes an example to help get you started.
Also take a look on simplesamlphp and its integration with Google:
Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps
Is an open source project based on php. Nice comunity and complete documentation.
Hi again I recently discovered this interesting project HybridAuth, an SSO PHP Library for authentication through identity providers like Facebook, Twitter, Google, Yahoo, LinkedIn, MySpace, Windows Live, Tumblr, Identica, LastFM, OpenID, PayPal, Vimeo, Foursquare, AOL, Viadeo, and others.
I didnt test it but seems also a good solution.