3

At work we have a system set up running a ThinkTecture IndentityServer SSO provider which currently provides authentication for several .NET and ColdFusion sites. I am currently working on a new site we are supporting in Ruby on Rails and am having difficulty figuring out how to connect it to the SSO. (I'm pretty new to rails, but a long time developer in CF and .NET)

I've looked at the omniauth-oauth2 and oauth2 gems but it seems there are important parts missing from the documentation and explanations I can find. There is a ton of info if I wanted to authenticate using Twitter, Facebook or something similar, but I can't find anything that just addresses the client side for any generic OAuth2 provider.

I'm just looking for someone to point me in the right direction to find information on how I can do this. I don't care if it's specific to IdentityServer or just generic regardless of the provider. Thanks for the help.

Update: Just so you know, I would prefer to use OAuth2 for this connection, but I am not opposed to using any of the other ways that IdentityServer provides, including ADFS, WSFed or Simple HTTP. I can't use OpenID, though, because these accounts are specific to our system and can't be used for other systems.

Carl
  • 1,246
  • 3
  • 21
  • 39
  • I am making progress on this using the oauth2 gem, and I will post a solution once I can confirm it. – Carl Oct 21 '15 at 17:28
  • Hi! I'm interested, I have the same problem. Did you succeed to implement omniauth ? Can you share how you did it ? – Renaud Jun 29 '21 at 15:15

2 Answers2

0

You really need an open id connect library.

http://openid.net/developers/libraries/

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • This looks like a possibility. Now looking for how to implement the gem in Rails. If I can find that it will probably work. – Carl Oct 15 '15 at 18:35
  • Actually, it looks like OpenID is its own authentication system. These users have accounts on our system which aren't connected to OpenID. We need them to authenticate to our server to accounts that exist on that server. – Carl Oct 15 '15 at 18:56
0

It turns out this is pretty easy, overall. The difficulty is that there is no straight answer to the question. How you connect to IdentityServer entirely depends upon how IdentityServer is set up.

I'm not going to post my exact code, as this will not help anyone who doesn't have IdentityServer set up exactly the same way we do, and as I don't have access to the IdentityServer, I can't say exactly how that is. I will explain the overall solution, though.

  1. The only gem needed for this is JWT
  2. Get key codes from IdentityServer admin (client id, secret key, sign key)
  3. Build login URL according to configuration of IdentityServer
  4. Redirect user to login path generated in the last step
  5. Receive token back from IdentityServer
  6. Decode and verify using the JWT.decode function

From there you just have a JSON string with your data.

Carl
  • 1,246
  • 3
  • 21
  • 39