6

We have multiple web projects(sites), each has its own Authorization logic. Today I have been asked by my CIO to implement oAuth and use that for validating user across all sites.

Earlier I have used oAuth for Google, Facebook, Twitter and Microsoft. I have multiple questions here

  1. What are the advantages of implementing oAuth provider
  2. What is the best approach in a generic oAuth principles
  3. Can I use this oAuth server for Single Sign On

When I have user oAuth from Google or other, the idea was to eliminate user effort to register on my site rather use the same credentials that he/she hae for Google. Is that the only advantage I would get if I create my custom oAuth?

Implementing oAuth:

  • Create a Application Entity with ApplicationName, ClientID, ClientSecrete
  • Create User Entity with UserId, UserName, Password, ApplicationID
  • Share the unique ClientID and Secrete with each site and when the user tries to log in from that site, pass the clientID, clientSecrete, UserName, Password and validate and return true or false
  • Follow the similar flow for user to register to the system.

On a high level will my above flow satisfies oAuth concept? is there a in-depth implementation details of oAuth that I can refer to get better understanding?

HaBo
  • 13,999
  • 36
  • 114
  • 206
  • https://github.com/DotNetOpenAuth/DotNetOpenAuth , C# implementation of the OpenID, OAuth protocols – Smartkid Jul 20 '15 at 02:45

1 Answers1

1

http://oauth.net/articles/authentication/

That's a good read, to tell you what should you use for OAuth and not :=)

https://msdn.microsoft.com/en-us/library/hh291066(v=vs.110).aspx Windows Identity Fundation ... Can help you with a unique authorization, across different applications, and layers..

And here finally some how to do guidelines :

http://www.c-sharpcorner.com/UploadFile/scottlysle/windows-identity-foundation-and-single-sign-on-sso/

Laurent Lequenne
  • 902
  • 5
  • 13
  • How is this handled in multiple client sites case. Like my user is on D1.com when he attempts to log in i sent his username, password,client id to OAuth server that grant the access to my user on D1.com, but later when user is gone to D2.com can I avoid user to enter username and password? if Yes how? – HaBo Apr 15 '15 at 21:52
  • You still need to login somehow ! Using google/Fb is not recommended for high secured access, as those are too vulnerable. If it's just too know who you are, it doesn't matter.. Anyway you can still use a membership provider, or in mvc the new asp.net.blabla owin, that has built-in support for Oauth(orization :=)) As long the providers use the same storage, you can reuse it on every site :=) – Laurent Lequenne Apr 15 '15 at 21:57
  • with an STS (depending on the implementation), if you are switching from site... the authentication is always done on the STS, it returns a claim that you can reuse, if the STS feels like you are authorized then you don't need to login again. – Laurent Lequenne Apr 15 '15 at 22:02