sso-server | Then install this SSO server | Authentication library
kandi X-RAY | sso-server Summary
kandi X-RAY | sso-server Summary
Do you need a PHP login system that rocks? Then install this SSO server. It's an awesome, scalable, secure, flexible PHP login system for the modern era.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Process string content .
- Parse a selector .
- Filter a row
- Retrieve a web page .
- Convert data to UTF - 8 .
- Convert email addresses to names and email addresses
- Indicates whether a password strength is strong enough .
- parse private key file
- Generate a word .
- send a TCP request
sso-server Key Features
sso-server Examples and Code Snippets
Community Discussions
Trending Discussions on sso-server
QUESTION
Environment
I have a special case with a single ASP.Core 5 web application hosted on a wildcard domain.
I have an infinite number of dynamic sub-domains, and there is a Single-Sign-On OpenID authority responsible for authentication and authorizating what user has access to what domain.
For example, all these domains go to the same ASP.Core web application, and many more:
- device1.mydomain.io
- device2.mydomain.io
- device3.mydomain.io
- deviceN.mydomain.io
- anything.mydomain.io
The Single-Sign-On server will refuse to sign your login if the return URL during the OIDC- redirect points to a sub-domain that your user should not have access to. Either you have access to that particular sub-domain or you do not.
Considerations so far
So far, we have added event handlers to the OpenID cycle of the webserver to dynamically pick an OIDC Client ID based on the URL we were contacted on before the redirect to Single-Sign-On server.
After the redirect, this application will also refuse to accept the token signed by the Single-Sign-On server if it was signed for a different redirect URL than this application was contacted on. This to prevent someone from copying the token, and changing the URL and trying to use the same token for a different sub-domain the user should not have access to.
There are no longer any security problems that I can see in the OpenID redirect-cycle itself. And all here is working fine.
Problem
However now there is a security problem after the cookie has been signed when using the service.
- The user has access to
domain1.mydomain.io
, but no access todomain2.mydomain.io
. - The user logs into
domain1.mydomain.io
and ASP.Core service signs a cookie. - The user copies the cookie into Postman and uses it to contact
domain2.mydomain.io
. - Now the user has access to
domain2.mydomain.io
too, since the ASP.Core service never checks which domain the cookie was signed for.
How can I make the ASP.Core cookie-authentication middleware check which domain the cookie was signed for, and refuse it if the domain differs from the one we were contacted at?
The Startup.cs code
...ANSWER
Answered 2021-Feb-24 at 13:27I found a solution!
It seems like ASP.Core cookie authentication by default does not care about the hostname the cookie was signed for when the token is validated on each request. And probably for a good reason. In most use cases the webserver can always accept cookies just based on that the same webserver signed it, and not care about how we were contacted.
This behaviour can be changed by adding additional principal validation to Events.OnValidatePrincipal
when configuring AddCookie
during startup.
I added an extra check validating the hostname the cookie was signed for, with the current actual hostname. This works, the server no longer accepts cookies signed for the wrong hostname. It will now redirect these requests to the Single-Sign-On server instead.
QUESTION
I got a good and simple SSO sample project from here
Currently the sample works as below.
Start app1, app2, sso-server.
Load http://localhost:8082/app1 It will redirect to login page of http://localhost:8080/sso-server
username: user, password: password
- On successful login, it will redirect back to http://localhost:8082/app1 The page will show "Welcome to app1, user"
- Now on loading http://localhost:8083/app2 The page will show "Welcome to app2, user" since we have already logged in.
Now my issue is the sample uses spring-boot-starter-parent version 1.5.9.RELEASE
The sample uses spring-cloud dependency also. I read like spring-cloud will not support spring-boot-starter-parent version 2 or above.
So I tried to remove spring cloud dependency from app1 and I could start the application after a tough try. My new pom is as below.
...ANSWER
Answered 2019-Sep-07 at 11:44Here is the link for the code in github which is forked from the link which is provided in the above question which is providing all the feature you have expected using Spring-Boot 2.X version.
In the above code I have moved your code from Spring boot version 1.5.9.RELEASE to 2.1.3.RELEASE and Spring Cloud version from Edgware.SR1 to Finchley.SR1
QUESTION
I am following this tutorial and it works perfectly, it is single sign on application, then I tried to build a docker image for each service and expose ports they are using but when I login the app1 service this response:
...ANSWER
Answered 2019-Feb-10 at 21:54All URI in the application.yml file are defined for going to localhost
. If you want to go one container to another, you can use the IP address of the host or the docker bridge address (default address is 172.17.0.1
).
QUESTION
I have been trying to follow a tutorial found HERE for setting up a demo to help me understand SSO on my local machine before implementing in another project. I have run into a problem that has left me stuck. I receive and error telling me to add a bean. Please let me know what code I am missing. I cannot get the program to run.
Tree of file system
AuthApplication.java
...ANSWER
Answered 2018-Mar-25 at 09:57You have to expose the AuthenticationManager
as spring bean described here.
QUESTION
We develop a bigger SaaS application based on ASP.NET Core and EFCore. We separate tenants by database, means that we have one database for each tenant.
The database is migrated on any incoming request by a client by a custom middleware. This required, because the application should be immediately available after a tenant signed up on our SSO-Server.
So the pipeline looks like this:
- Authentication Middleware (ASP.NET Core Standard)
- UserResolverMiddleware (extracts TenantID from the JWT token and adds it to HttpContext.Items)
- TenantDatabaseInitializerMiddleware (constructs a TenantDbContext object by passing the tenantid in the ConnectionString and starts migration)
Unfortunately this has some downsides, as I recognized later:
- The TenantDatabaseInitializer sometimes uses an TenantDbContext of a different tenant. Therefore no database is migrated and the whole request fails.
- If there are a lot of incoming requests for the same tenant, the migrations often overlap and fail. (The Middleware is catching the InvalidOperationExceptions that are thrown, but this does not seem as good solution).
- It creates a lot of databases.
- The requests take potentially long to complete (check for migration).
Long introduction, short question: Can anyone judge whether this migration workflow is a good practise? If not: Do you have a better idea how I can achieve multi tenancy?
I read about Global Query Filters in EFCore 2.0, but I'm not sure how safe this approach is regarding data isolation.
Thanks!
...ANSWER
Answered 2017-Oct-25 at 10:47I think creating a database per each tenant is not practical. If you have 2000 tenants, then you have to maintain 2000 database instances!
I recommend using 1 database for all the application and tenants. And add a TenantId
to most of tables so you can find out which tenant this specific records belong to.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install sso-server
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page