4

I'm working on an architecture of a distributed system, basically in ruby (rails, sinatra, etc).

I has several pure API only components, say API_C1, API_C2, API_C3. It has several web client applications, say Portal1, Portal2 and some native client application, say Native1.

Requirements:

  1. SSO for all web clients (Portal1, Portal2), centralized authentication.
  2. All API components should expose their API with authorization.
  3. Centralized API authorizarion.

I did several POCs to try some options but still don't have a full picture.

I tried rubycas server for SSO. It works pretty well. I consider using java cas implementation if necessary.

Centralized API authorization is rather tricky for me. I tend going OAuth2 way but have some questions:

  1. Is it possible to have centralized OAuth provider serving all API compoments? How it should work then and what libs/gems to use?
  2. How can I make my web apps (Portal1 and Portal2) trusted by default. I don't want a user to authorize access for trusted applications.

  3. For native client apps (non web environment) I want to support 2 legs OAuth. Is it correct choice? Is it possible to have both 3 legs and 2 legs working?

  4. How user creds are transformed into oauth token? Suppose the following use case:

    • user logs in into Portal1 (via CAS server) and opens some page
    • Portal1 backend server should pull data from API_C1 and API_C2 to show the page. How to authorize API here?

I have some thoughts like having API components under the same SSO CAS session. This is kind of allows my scenario 4) resolved, nothing to code here. But using session for APIs is a bad practice and how then to mix session and OAuth authorization for APIs?

Please, point me right direction. May be there are some other options to do everything like customized OpenId or OAuth providers to support SSO?

x3mka
  • 531
  • 3
  • 12

1 Answers1

2

Although this is an old question (2 years ago), however I'll leave an answer here in case someone was trying to solve a similar problem.

I think you are taking the right direction by thinking of using OAUTH, however I'd like to recommend that you use version 2.0 of the OAUTH protocol

Centralized Authorization

Is it possible to have centralized OAuth provider serving all API components? How it should work then and what libs/gems to use?

  • OAUTH 2.0 allows this scenario by having an Authorization Service to be operate as a stand-alone system/service, other services in your system can just trust that service and know how to validate its issued tokens (by using its x.509 cert public key for example)

  • There are SaaS based Authorization servers that you can even use without any setup costs, like Auth0

Web Clients

How can I make my web apps (Portal1 and Portal2) trusted by default. I don't want a user to authorize access for trusted applications.

  • Using a resource owner password grant, a user (resource owner) is authenticated to a client (website/portal/app) using a username & password along with a known client_id (that can also be tied to known HTTP origin)

  • Alternatively, an authorization code grant where the portal redirects the user to a known authorization service url with some URL parameters for the user to authenticate there and gets redirected back to the portal

Native Apps

For native client apps (non web environment) I want to support 2 legs OAuth. Is it correct choice?

  • in OAuth 2.0, Use a client credentials grant in this scenario, where it is possible to store a client_id & client_secret and send them to the authorization server to authenticate as a trusted client (no user credentials required)

Mixing It All Together

Is it possible to have both 3 legs and 2 legs working?

  • All the above grant types for OAuth 2.0 can be working together on the same authorization service/server (as far as I know. I've actually got it working with Microsoft OWIN for ASP.net)

How user creds are transformed into oauth token? Suppose the following use case:

  • the authorization service has endpoint(s) (urls) that clients use to post a form or redirect to to obtain access_token, but the actual method is dependant on which authentication flow you are using (post vs redirect)

user logs in into Portal1 (via CAS server) and opens some page Portal1 backend server should pull data from API_C1 and API_C2 to show the page. How to authorize API here?

  • using a resource owner password grant the user enters username & password into portal1, then an access_token is obtained, then when portal1 is calling API_C1, it can just attach the access_token to the call (HTTP Header: Authorization) (impersonating the logged-in user)

  • using an authorization code grant the user is redirected to Auth Service, enters their credentials there, then redirected back to portal1 (the client) with an access_token, that is then attached to the call to API_C1 to impersonate the logged-in user

Similar Topics

Lastly, check out a similar answer that is related to your question

Community
  • 1
  • 1
Bishoy
  • 3,915
  • 29
  • 37
  • Thanks for detailed answer. I've come up with similar answers myself too. For our project we went with Auth0 and results are pretty good. – x3mka Feb 17 '16 at 12:09