Saturday, February 20, 2016

A Stateless OAuth 2.0 Proxy for Single Page Applications (SPAs)

1. Build the sample SPA from https://github.com/facilelogin/aratuwa/tree/master/oauth2.0-apps/org.wso2.carbon.identity.oauth.spa

2. Copy the artifact(amazon.war) created from the above step to [CATALINA_HOME]\webapps

3. This sample assumes Apache Tomcat is running on localhost:8080 and WSO2 Identity Server 5.0.0 or 5.1.0 is running on localhost:9443

4. If you use different hostnames or ports, change the hostname and the port inside [CATALINA_HOME]\webapps\amazon\index.html and in.html

5. Also note that the value spaName query parameter in [CATALINA_HOME]\webapps\amazon\index.html it should match the value sample1, which we define later in oauth_proxy.properties, if you change this value make sure you change both the places.

6. Create a service provider in WSO2 Identity Server for the proxy app. Note that this is not for the SPA.

7. Configure OAuth 2.0 as the Inbound Authenticator, with https://localhost:9443/oauth2-proxy/callback as the callback URL. This is pointing to the oauth2-proxy app we are going to deploy in Identity Server later.

8. Create a file with the name oauth_proxy.properties under IS_HOME\repository\conf Add following properties to the file oauth_proxy.properties
    is_server_ep=https://localhost:9443
    client_id=6ktdbCJgmQIqlO1tNiHBQoVelkUa
    client_secret=cg5Gg8PfwI28NjLRy64pyffcK4Ia
    proxy_callback_url=https://localhost:9443/oauth2-proxy/callback
    sp_callback_url_mapping.sample1=http://localhost:8080/amazon/in.html
    sp_logout_url_mapping.sample1=http://localhost:8080/amazon/index.html
    iv=RandomInitVector
    secret_key=Bar12345Bar12345
      9. The value of the client_id and the client_secret should be copied from the service provider you created in Identity Server

      10. The value of the proxy_callback_url should match the callback URL you configured when creating a service provider in Identity Server

      11. The value of sp_callback_url and sp_logout_url should point to the amazon web app running in Apache Tomcat

      12. The properties iv and secret_key are used to encrypt the tokens, set as cookies. The value of iv must be 16 characters long. The value of is_server property must point to the Identity Server.

      13. Build the OAuth 2.0 proxy app from https://github.com/facilelogin/aratuwa/tree/master/oauth2.0-apps/org.wso2.carbon.identity.oauth.proxy and copy target/oauth2-proxy.war to IS_HOME/repository/deployment/server/webapps

      14. Restart the Identity Server. Once everything is done and both Identity Serevr and Apache Tomcat are up and running, you can test this by visiting http://localhost:8080/amazon and clicking on the Login link.

      A Lightweight Login API for WSO2 Carbon

      1. Build the API from https://github.com/facilelogin/aratuwa/tree/master/carbon-security/org.wso2.carbon.security.login

      2. Copy the artifact(login.war) created from the above step to IS_HOME/repository/deployment/server/webapps

      3. Restart the WSO2 Identity Server and make sure the login.war is deployed properly.

      4. Following is an example cURL request just to authenticate a user.

      curl -k -v  -H "Content-Type: application/json"  -X POST -d @auth_req.json https://localhost:9443/login
      auth_req.json:
      
      { 
         "username": "admin",
         "password": "admin"
      }
      Response:
      
      HTTP/1.1 200 OK
      {  
         "username":"admin",
         "user_claims":[  
      
         ],
         "roles":[  
      
         ]
      }
      5. Following is an example cURL request to authenticate a user and get all his roles.

      curl -k -v  -H "Content-Type: application/json"  -X POST -d @auth_req.json https://localhost:9443/login
      auth_req.json:
      
      {  
         "username": "admin",
         "password": "admin",
         "with_roles": true
      }
      Response:
      
      HTTP/1.1 200 OK
      {  
         "username":"admin",
         "user_claims":[  
      
         ],
         "roles":[  
            "admin",
            "Application/oauth2-proxy",
            "Internal/everyone"
         ]
      }
      6. Following is an example cURL request to authenticate a user and get all his roles and a selected set of claims.

      curl -k -v  -H "Content-Type: application/json"  -X POST -d @auth_req.json https://localhost:9443/login
      auth_req.json:
      
      {  
         "username": "admin",
         "password": "admin",
         "with_roles" : true,
         "claims" : ["http://wso2.org/claims/emailaddress"]
      }
      
      Response:
      
      HTTP/1.1 200 OK
      {  
         "username":"admin",
         "user_claims":[  
            {  
               "claim_uri":"http://wso2.org/claims/emailaddress",
               "value":[  
                  "admin@wso2.com"
               ]
            }
         ],
         "roles":[  
            "admin",
            "Application/oauth2-proxy",
            "Internal/everyone"
         ]
      }

      Enforce Password Reset for Expired Passwords During the Authentication Flow

      In this blog post we will look into how to enforce password reset for expired passwords during the authentication flow. This is done by writing a custom connector and engaging it into the authentication flow.

      1. Download connector code from https://github.com/facilelogin/aratuwa/tree/master/carbon-security/org.wso2.carbon.identity.policy.password and build the project with Maven, which will result in a org.wso2.carbon.identity.policy.password-1.0.0.jar file inside the target directory.

      2. Copy the file org.wso2.carbon.identity.policy.password-1.0.0.jar to [IS_5.1.0]/repository/components/dropins/.

      3. Copy https://github.com/facilelogin/aratuwa/blob/master/carbon-security/org.wso2.carbon.identity.policy.password/src/main/resources/pwd-reset.jsp to [IS_5.1.0]/repository/deployment/server/webapps/authenticationendpoint.

      4. Edit the file [IS_5.1.0]/repository/conf/identity/identity-mgt.properties and add the following property.

      Authentication.Policy.Password.Reset.Time.In.Days=20

      5. Start WSO2 Identity Server.

      6. Create a service provider and under the 'Local & Outbound Authentication Configuration' --> 'Advanced Configuration' - define two steps. The first step with the 'basic' local authenticator and the second step with the 'password-reset-enforcer' local authenticator.

      7. Once the service provider is created, we also need to create a claim and map that claim to a user store attribute to hold the timestamp of the password reset event.

      8. Claims --> Add --> Add New Claim --> Select  http://wso2.org/claims and create a claim with the claim URI http://wso2.org/claims/lastPasswordChangedTimestamp and make it ReadOnly. Also uncheck 'Supported By Default'.
      9. That's it. During the authentication flow, if the password is expired, you will be prompted to reset the password.