You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@oltu.apache.org by "Tiburtius, Ashwanth [IWD]" <As...@iwd.iowa.gov> on 2015/04/21 23:07:16 UTC
Force re-authentication
Hi all,
I m using Apache Oltu as OAuth library to authenticate users against Google, Yahoo and Microsoft. It has worked great. Within my application I need to ask the user to re-authenticate themselves before accessing certain pages. This is what I have found so far on this topic.
Google - lets you revoke access token using "https://accounts.google.com/o/oauth2/revoke?token=". But this doesn't force re-authentication by password entry but displays only the consent screen again.
Yahoo - has no support for this. We have to log the user out using something like https://login.yahoo.com/config/login?logout=1.
Microsoft - has url "https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL" to support this behavior. I am in the process of testing it.
Does Oltu have any apis related to this functionality? Has any open tried to implement this? Any help is much appreciated. Thank you.
Regards,
Jude.
Re: Force re-authentication
Posted by Jasha Joachimsthal <ja...@apache.org>.
On 22 April 2015 at 18:54, Tiburtius, Ashwanth [IWD] <
Ashwanth.Tiburtius@iwd.iowa.gov> wrote:
> Hi Stein,
>
>
>
> Really appreciate your response. It was quite precise.
>
>
>
> I have a quick question, there are many web applications that lets you use
> gmail or facebook login to authenticate yourself. If OAuth doesn’t support
> re-authentication, how does the applications ensure that it is the same
> user that it is interacting with. Could be an issue with privacy or
> sensitive data. May be OAuth is not meant to solve this problem yet. I am
> just trying to see what is the solution. Some of my colleagues have used
> OpenID but Google has deprecated it, so I am not sure if that is the right
> approach either. A little perplexed and frustrated since I had been working
> on this for a while now. L
>
What OAuth solves is that the OAuth client can get access to the user's
resources without storing the real credentials. It's up to the OAuth
provider how the user authenticates. This can be done via username and
password, but other methods are also possible like the Windows domain
login.
Social OAuth providers like Google and Facebook have long lasting sessions
that are also used when the user is going to authenticate from an OAuth
client. As consumer I wouldn't appreciate it if I'm logged out from Gmail
because some other app that uses Google's OAuth wants to be sure that I am
really me.
If you want to protect sensitive or privacy data in your client and you
want to be more sure that you interact with the person behind the user
identifier, you should introduce a second factor in your authorization flow.
Jasha
>
> Regards,
>
> Jude.
>
> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319
>
> (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov
>
>
>
> *From:* Stein Welberg [mailto:stein@onegini.com]
> *Sent:* Wednesday, April 22, 2015 12:39 AM
> *To:* user@oltu.apache.org
> *Cc:* Jasha Joachimsthal
> *Subject:* Re: Force re-authentication
>
>
>
> Hi Jude,
>
>
>
> Oltu does not support such a scenario because the scenario you are
> describing is not part of the OAuth specification nor does it have anything
> to do with it :-). There are specifications to revoke an access token [1],
> as you already found out google allows you to do this. However, it does not
> enforce the scenario you are looking for. I’m afraid you have to look for
> something else because this is not standardised and therefore all providers
> have chosen a different path.
>
>
>
> I’m afraid you are on your own on this.
>
>
>
> [1] https://tools.ietf.org/html/rfc7009
>
>
>
> Met vriendelijke groet / Kind regards,
>
>
>
> Stein Welberg | CTO
>
>
>
>
>
>
>
>
> M: +31639110574 | stein@onegini.com | Pompmolenlaan 9, 3447 GK, Woerden |
> www.onegini.com
>
>
>
>
>
>
>
> On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <
> Ashwanth.Tiburtius@iwd.iowa.gov> wrote:
>
>
>
> Hi all,
>
>
>
> I m using Apache Oltu as OAuth library to authenticate users against
> Google, Yahoo and Microsoft. It has worked great. Within my application I
> need to ask the user to re-authenticate themselves before accessing certain
> pages. This is what I have found so far on this topic.
>
>
>
> Google – lets you revoke access token using “
> https://accounts.google.com/o/oauth2/revoke?token=”. But this doesn’t
> force re-authentication by password entry but displays only the consent
> screen again.
>
> Yahoo – has no support for this. We have to log the user out using
> something like https://login.yahoo.com/config/login?logout=1.
>
> Microsoft – has url “
> https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL”
> to support this behavior. I am in the process of testing it.
>
>
>
> Does Oltu have any apis related to this functionality? Has any open tried
> to implement this? Any help is much appreciated. Thank you.
>
>
>
> Regards,
>
> Jude.
>
>
>
RE: Force re-authentication
Posted by "Tiburtius, Ashwanth [IWD]" <As...@iwd.iowa.gov>.
Hi Stein,
Really appreciate your response. It was quite precise.
I have a quick question, there are many web applications that lets you use gmail or facebook login to authenticate yourself. If OAuth doesn’t support re-authentication, how does the applications ensure that it is the same user that it is interacting with. Could be an issue with privacy or sensitive data. May be OAuth is not meant to solve this problem yet. I am just trying to see what is the solution. Some of my colleagues have used OpenID but Google has deprecated it, so I am not sure if that is the right approach either. A little perplexed and frustrated since I had been working on this for a while now. ☹
Regards,
Jude.
Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319
(515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov<ma...@iwd.iowa.gov>
From: Stein Welberg [mailto:stein@onegini.com]
Sent: Wednesday, April 22, 2015 12:39 AM
To: user@oltu.apache.org
Cc: Jasha Joachimsthal
Subject: Re: Force re-authentication
Hi Jude,
Oltu does not support such a scenario because the scenario you are describing is not part of the OAuth specification nor does it have anything to do with it :-). There are specifications to revoke an access token [1], as you already found out google allows you to do this. However, it does not enforce the scenario you are looking for. I’m afraid you have to look for something else because this is not standardised and therefore all providers have chosen a different path.
I’m afraid you are on your own on this.
[1] https://tools.ietf.org/html/rfc7009
Met vriendelijke groet / Kind regards,
Stein Welberg | CTO
[cid:image001.png@01D07CDF.83757A90]
M: +31639110574 | stein@onegini.com<ma...@onegini.com> | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com<http://www.onegini.com/>
On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <As...@iwd.iowa.gov>> wrote:
Hi all,
I m using Apache Oltu as OAuth library to authenticate users against Google, Yahoo and Microsoft. It has worked great. Within my application I need to ask the user to re-authenticate themselves before accessing certain pages. This is what I have found so far on this topic.
Google – lets you revoke access token using “https://accounts.google.com/o/oauth2/revoke?token=”. But this doesn’t force re-authentication by password entry but displays only the consent screen again.
Yahoo – has no support for this. We have to log the user out using something like https://login.yahoo.com/config/login?logout=1.
Microsoft – has url “https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL” to support this behavior. I am in the process of testing it.
Does Oltu have any apis related to this functionality? Has any open tried to implement this? Any help is much appreciated. Thank you.
Regards,
Jude.
Re: Force re-authentication
Posted by Stein Welberg <st...@onegini.com>.
Hi Jude,
Oltu does not support such a scenario because the scenario you are describing is not part of the OAuth specification nor does it have anything to do with it :-). There are specifications to revoke an access token [1], as you already found out google allows you to do this. However, it does not enforce the scenario you are looking for. I’m afraid you have to look for something else because this is not standardised and therefore all providers have chosen a different path.
I’m afraid you are on your own on this.
[1] https://tools.ietf.org/html/rfc7009 <https://tools.ietf.org/html/rfc7009>
Met vriendelijke groet / Kind regards,
Stein Welberg | CTO
M: +31639110574 | stein@onegini.com <ma...@onegini.com> | Pompmolenlaan 9, 3447 GK, Woerden | www.onegini.com <http://www.onegini.com/>
> On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <As...@iwd.iowa.gov> wrote:
>
> Hi all,
>
> I m using Apache Oltu as OAuth library to authenticate users against Google, Yahoo and Microsoft. It has worked great. Within my application I need to ask the user to re-authenticate themselves before accessing certain pages. This is what I have found so far on this topic.
>
> Google – lets you revoke access token using “https://accounts.google.com/o/oauth2/revoke?token= <https://accounts.google.com/o/oauth2/revoke?token=>”. But this doesn’t force re-authentication by password entry but displays only the consent screen again.
> Yahoo – has no support for this. We have to log the user out using something like https://login.yahoo.com/config/login?logout=1 <https://login.yahoo.com/config/login?logout=1>.
> Microsoft – has url “https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL <https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL>” to support this behavior. I am in the process of testing it.
>
> Does Oltu have any apis related to this functionality? Has any open tried to implement this? Any help is much appreciated. Thank you.
>
> Regards,
> Jude.