Use both jwt and saml for authentication

[Ruochao Zheng]

We have a web app which is a single page using javascript to handle all client logic. So in the backend we only have web service.

For authentication, we decide to choose JWT as our key. But actually we need to SSO with other app which we need to use saml.

Basic idea is we protected web service by checking JWT token, and for saml, we can generate the JWT and "push" to client after saml authentication succesful.

Do you think it's a correct way or any issue with current library support?

And how to handle that after saml succeed? I remember in previous version we have ClientAuthenicationFilter which able to define "authentictionSuccessHandler", but I'm not sure how to do that in the new version.

Thanks,
Ruochao

[Jérôme LELEU]

Hi,

It's a correct approach, especially with pac4j as the JWT support will restore pac4j profiles from JWT in a transparent manner.

Protect UI urls with a SAML2Client to trigger a SAML login process.

Provide an url which returns a JWT if the user is authenticated. Use the JwtGenerator to generate a JWT from the current SAML2Profile

Protects web services urls with a ParameterClient("token") with a JwtAuthenticator: when calling this url with token=TheJWT, the SAML2Profile will be restored.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ruochao Zheng]

So we can handle SAML to JWT on the callback url, right? And the "transparent manner" means we can get SAML profile on the url protected with SAML client, and get JWT profile on the url protected with JWT client, right?

The previous "authenticationSuccessHandler" for "ClientAuthenticationFilter" is not needed any more?

Thanks,

Ruochao

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

[Jérôme LELEU]

Hi,

No, SAML uses the callback url as it's an external login process (indirect client) while JWT tokens will be validated directly when they are provided (by request or header parameter).

Examples of flow / HTTP calls:

http://localhost:80808/protected/index.html -> http://samlserver/login -> http://localhost:80808/callback?... -> http://localhost:80808/protected/index.html

http://localhost:80808/protected/jwt.html -> { "token" : "xxx" }

http://localhost:80808/webservices/operation?token=xxx

No, the transparent manner means that the JwtAuthenticator will return a SAML2Profile given a JWT token, if this JWT token was created from a SAML2Profile (JwtGenerator).

Yes, you don't need the "authenticationSuccessHandler". Notice that the latest version (spring-security-pac4j v2.0.0 has no longer the "ClientAuthenticationFilter").

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[antonio cafasso]

Hi All,

Can this approach be also applied to CAS server (or any other indirect client) instead of SAML server?

Thanks,

Antonio

[Ruochao Zheng]

Thanks, but I'm not quite get this.

This is my solution for that.

http://localhost:8080/                    UI entry point

http://localhost:8080/service/**      protected with JWT (HeaderClient or ParameterClient)

http://localhost:8080/saml             protected with SAML client

My client side is single page web app using AngularJS or ReatJS. And in login UI, we click "http://localhost:8080/saml" to trigger the saml authentication process.

After that, it will redirect to "http://localhost:8080/saml", and in this url, I get the SAML2Profile and get user name, etc from profile. Then generate a JWT token and redirect to UI with parameter "http://localhost:8080/?token=xxxxx"

So after UI loaded, it will check the parameter, if it has token, it will save it. And attached to the header or parameter on every rest request. e.g. http://localhost:8080/service/users?token=xxxxxxxxx

Thanks,

Ruochao

[Jérôme LELEU]

Hi,

Yes, it's a general solution where you have first a UI authentication (CAS, SAML, OpenID, OpenID Connect, Facebook, Twitter...) you want to turn into an identity to call web services.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

[Mukul Chakane]

Hi, how to generate JWT when we get to callback endpoint, due to callbackfilter i'm getting redirected to defaultURL given to callbackfilter

[Jérôme LELEU]

Hi,

You should not generate the JWT on the callback endpoint. You should protect the URL which generates the jwt and call it first, you will be redirected to the SAML IdP for login, then back on the callback and finally and the URL to generate the JWT.

Thanks.

Best regards,

Jérôme

You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/3debebe8-a532-4e43-a5f1-d82b8d524d8f%40googlegroups.com.

[Mukul Chakane]

You mean,

1. Protect /loginThroughSSO URL with security Filter which will redirect to IdP -> IdP will authenticate the user -> callbackFilter will redirect the request to originally requested URL (/loginThroughSSO)

2. then place JWT generation code inside the same endpoint and return it back to the browser.

correct me if I'm wrong.

To achieve this I need originally requested URL which is stored in session store by security filter but when the request comes back from IdP to callback filter and then DefaultCallbackLogic class it is not able to retrieve the last stored requested URL???? What's wrong with my code or understanding??

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j...@googlegroups.com.

[Jérôme LELEU]

Hi,

Yes. Please provide DEBUG logs on io.buji and org.pac4j to investigate.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/2580d9d5-2e7e-403a-b210-3c5fb02dcc8f%40googlegroups.com.

[Mukul Chakane]

Hi, 

PFA: pac4j.log

It seems like SecurityFilter and CallbackFilter both are creating new session store and unfortunately, the DefaultCallbackLogic class is unable to get originally requested URL from the previously-stored session.

Thanks,

Mukul

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/2580d9d5-2e7e-403a-b210-3c5fb02dcc8f%40googlegroups.com.

[Jérôme LELEU]

Hi,

Your logs are hard to read (no timestamp, no log level). As the session is recreated, do you have multiple nodes?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/c8d7529d-b860-485b-9a5f-9d6a06e60b5f%40googlegroups.com.

[Mukul Chakane]

If mean multiple nodes as in IDP and SP 2 different machines then yes.

its our application logging, basically they are in sequence and log present in file is for single request redirected to IDP and back to SP, callback filter logs are present below === callback === and security filter logs are present below === security ===

what you want me to look into ???

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/c8d7529d-b860-485b-9a5f-9d6a06e60b5f%40googlegroups.com.

[Jérôme LELEU]

Hi,

If you have multiple nodes for your application, it can explain why the session is recreated if the session is not shared between the nodes.

Or this can happen if there is a misconfiguration for the session cookie: when the session is recreated, was the session cookie sent along the request?

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/fc84f4c8-ad84-41bf-b7ff-e2ac08a37a19%40googlegroups.com.

[Mukul Chakane]

Hi,

We have the only node of our application.

1. I'm still not able to get originallyRequestedUrl from sessionStore, What I did is, gave originallyRequestedUrl as defaultUrl in callbackFilter, then my redirection went into the loop because of securityfilter invoking again n again and it keeps creating new SAML request and redirects to IdP.

2. I have 1 doubt, when you say "You should protect the URL which generates the jwt and call it first, you will be redirected to the SAML IdP for login, then back on the callback and finally and the URL to generate the JWT."  how redirect to originallyRequestedUrl will resume executing code inside API to generate JWT, instead of again executing securityFilter.

3. I'm using buji-pac4j 4.1.1 which needs pac4j 3.7.0 https://search.maven.org/artifact/io.buji/buji-pac4j/4.1.1/jar but I can see https://github.com/pac4j/pac4j/issues/1074 issue is fixed in pac4j 4. can you tell me how should i go about this issue. Can you please let me know when buji-pac4j 5.0 https://github.com/bujiio/buji-pac4j/wiki/Release-Notes will be made available on maven repository.

Thanks in advance,

Mukul

 

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/fc84f4c8-ad84-41bf-b7ff-e2ac08a37a19%40googlegroups.com.

[Jérôme LELEU]

Hi,

1. 2. On the callback endpoint, the login process is completed and the authenticated user profile is saved into the session. In the security filter, the authenticated user profile is read from the session.

So I think all your problems come from this new created session (in which you don't have the authenticated user profile).

3. You can keep buji-pac4j v4.1.1 and update pac4j to v3.8.3. But you can also try buji-pac4j v5.0.0-RC3-SNAPSHOT based on pac4j v4.0.0-RC3-SNAPSHOT.

I'd love to cut a GA release in T1 2020, but we'll more likely have a RC3.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/a4505146-869a-4765-bc6e-48e0d082cf03%40googlegroups.com.

[Mukul Chakane]

Hi,

PFA: Pac4jConfig.txt, SAMLSecurityFilter.txt, SAMLCallbackFilter.txt 

SAMLSecurityFilter.txt and SAMLCallbackFilter.txt extended from SecurityFilter and CallbackFilter respectively and overridden doFilter(..) method to set config and set Clients.

Here I have set SessionStore to ShiroSessionStore, then created J2EContext, then added one key value to session in SAMLSecurityFilter.

Then redirected to IdP -> authenticated -> back to Webservice

Then when i fetched SessionStore in SAMLCallbackFilter, I'm able to see the same sessionStore object, but it doesn't contain key-value which I set in SAMLSecurityFilter.

When I debugged further in shiroSessionStore class, I'm not getting the previous session object.

I tried to learn from Buji-pac4j-demo as much as possible, but there SAML demo link not working.

I don't have much knowledge of Shiro if its problem in Shiro, because from my debugging I found that DelegatingSubject.java::getSession(...) method in Shiro-core.1.4.1 is not returning previously-stored session.

Will it possible for you to consult me over a call ?? Or please let me know any debugging steps.

Thanks & Regards,

Mukul

To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/a4505146-869a-4765-bc6e-48e0d082cf03%40googlegroups.com.

[Jérôme LELEU]

Hi,

Let's start this properly: the SAML support works for me in the demo. Can you enable DEBUG logs for io.buji, org.pac4j and org.apache.shiro and make a SAML test?

We'll check your logs against a working use case.

Thanks.

Best regards,

Jérôme

To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/c57e3298-6564-4c37-9572-e5668650286a%40googlegroups.com.