Friday, February 14, 2014

Working of WSO2 Identity Server

To enable OAuth support for your client application, First we need to register our application on WSO2 Identity Server.

Step to register Client App on WSO2 IS :

  1. Goto Management Console and Enter your username and password. By default its “admin”.
  2. Click Main button and then OAuth in Manage menu.
  3. Click on the Register New Application link on the OAuth Management page.



  1. Select OAuth 2.0 as the OAuth Version. Enter Application Name and your Callback Url. For this app to work use http://localhost:8080/playground/oauth2client.


  
   5. Click on Add button , you will see your application under the OAuth                Management Page.





  1. Click on the WSO2 application and copy the Client ID, Client Secret, Access Token URL and Authorize URL. We need these values for our web app.


You are done with the registration part..!!!



Sample App with WSO2 Identity Server :

Download the sample app from here and host it in Tomcat. You can see the app running at http://localhost:7070/playground.
  1. Click on Import Photos






  1. Select the Grant Type as “authorization code”. Enter Client Id , Authorize Endpoint that we got while registering our Application. Scope is Optional and click on Authorize.


3. WSO2 Identity Server requests access to noscope, After login click on Approve.


4. You will get authorization code, Now enter the value for the Access Token Endpoint and Client Secret and click Get Access Token.

5 . Once you get access token, Click on “Get Photo”.




Setup of WSO2 Identity Server on Windows 7

What is WSO2 Identity Server ?

WSO2 Identity Server is an enterprise-ready, fully-open source, lean, component-based solution for facilitating security and provides secure identity management for enterprise web applications, services, and APIs by managing identity and entitlements of the user securely and efficiently.
It helps improve customer experience by reducing identity provisioning time, guaranteeing secure online interactions, and delivering a reduced single sign-on environment. WSO2 Identity Server decreases identity management, entitlement management, and administration burden by including role-based access control (RBAC) convention, fine-grained policy-based access control, and SSO bridging.

Downloading the product :

  • In your Web browser, go to http://wso2.com/products/identity-server.
  • If you are a new user downloading WSO2 products for the first time, register and log in.
  • Once you are logged in, click the Binary button in the upper right corner of the page.

The binary distribution contains the Carbon binary files for both Windows and Linux operating systems, compressed into a single ZIP file.

Installing the Identity Server :

Before installing, You must set your JAVA_HOME environment variable.
  • Download the latest version of the Identity Server as described above
  • Extract the archive file to a dedicated directory for the Identity Server, which will hereafter be referred to as <WSO2_HOME>.

Starting the Server :

To start the server, you need to run the script “wso2server.bat” which is under $WSO2_HOME/bin folder.
Once the server has started, you can see the Management Console by opening a Web browser and typing in the management console's URL. You can check the URL as the last line in the start script's console. Check the screenshot below :



Use “admin” as username and password to sign in to the Management Console.
By default, The session-timeout value is 15 minutes but you can change this in the $WSO2_HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml file as follows:

<session-config>
<session-timeout>15</session-timeout>
</session-config>

Stopping the Server :

To stop the server, press Ctrl+C in the command window or click the Shutdown/Restart link in the navigation pane in the Management Console.

Resources :

http://wso2.com/products/identity-server/

http://docs.wso2.org/display/IS460/WSO2+Identity+Server+Documentation

How to retrieve Facebook profile using Apache Oltu

This tutorial shows you the basic of OAuth using Apache Oltu (Formely known as Apache Amber). We have created a Java Web Application that authenticates the user to Facebook via OAuth 2.0 and retreive the protected resources from Facebook.

Setup :
  • SSL enabled Tomcat Server as we have deployed our Web Application on tomcat. Click here for instruction on How to enable SSL on Apache Tomcat 7.0
  • Registered Facebook Application. Check here for instruction on How to register App on Facebook.
  • Download the OltuClientFB Application from the GIT repository.
  • If you are using Maven then add below dependency or download Apache Oltu client jars :
    <dependency>
      <groupId>org.apache.oltu.oauth2</groupId>
      <artifactId>org.apache.oltu.oauth2.client</artifactId>
    </dependency>

Run the Project :

Check out the project from the above URL, import into the eclipse and Run as a Server.

Navigate your browser to https://localhost:<port>/OltuClientFB. You will see the following page:





Click on the link and it will take you the Facebook page for Authentication :


Once you are login into Facebook, It will ask you to allow the Oauth application to access your private data:



Once you click on “Okay” button. It will display your profile detail like UserId, Name etc.



Code Description :

OAuthServlet.Java

In the Servlet initParams, We have defined the clientId, clinetSecret and the redirectUri, You can change it as per your Apps.
// clientId is 'App ID '
@WebInitParam(name = "clientId", value = "YOUR_CLIENT_ID"),
// clientSecret is 'App Secret'
@WebInitParam(name = "YOUR_CLIENT_SECRET", value = "70ba69525274876dce9697ad183a9051"),
// This must be identical to 'Valid OAuth Redirect URI's'
@WebInitParam(name = "redirectUri", value = "https://localhost:7443/OltuClientFB/OAuthServlet/callback"),})

The Java Web Application act as a third-party website or termed as “client” which operate on behalf of a user. It first sends the request to Facebook which authenticates the user, obtain the user's authorization(i,e Approve/Deny page) and issues an access token which client can use while interacting with the resource server i,e Facebook to access public profile of the user.

End user Authorization request :


Created the End User Authorization Request by providing end-user authorization URI at the Authorization Server (e.g. Facebook), application's client id and a redirect URI in order to receive the authorization code. Apache Oltu has an enum OAuthProviderType for authorization and token endpoints of common OAuth 2 providers like Facebook.

OauthClientRequest authClientRequest = OAuthClientRequest
.authorizationProvider(OAuthProviderType.FACEBOOK)
.setClientId(clientId).setRedirectURI(redirectUri)
.buildQueryMessage();

The above code will produce an OAuth request where all the parameters are encoded in the URL query.

response.sendRedirect(authClientRequest.getLocationUri());

Get Authorization Code from redirect URI :

Once the user grants permission for your client application, then the Facebook will redirects the user to redirectUri with the code in the request parameter.


OAuthAuthzResponse oar = OauthAuthzResponse.oauthCodeAuthzResponse(request); code = oar.getCode();

Exchange OAuth code for an access token :


Apache Oltu has two different classes to parse the access token response. Facebook’s response is not fully compliant with the final version of the OAuth 2 specification, but it can be parsed using the class GitHubTokenResponse.



OauthClientRequest authClientRequest = OAuthClientRequest.tokenProvider(OAuthProviderType.FACEBOOK)
.setGrantType(GrantType.AUTHORIZATION_CODE)
.setClientId(clientId).setClientSecret(clientSecret)
.setRedirectURI(redirectUri).setCode(authorizationCode)
.buildBodyMessage();
//create OAuth client that uses custom http client under the hood
oAuthClient = new OAuthClient(new URLConnectionClient());
GitHubTokenResponse oAuthResponse = oAuthClient.accessToken(authClientRequest,
GitHubTokenResponse.class);
String accessToken = oauthResponse.getAccessToken();

Get Facebook profile data :

OAuthClientRequest bearerClientRequest = new OAuthBearerClientRequest("https://graph.facebook.com/me").setAccessToken(accessToken).buildQueryMessage();
OAuthResourceResponse resourceResponse oAuthClient.resource(bearerClientRequest, OAuth.HttpMethod.GET,
OauthResourceResponse.class);

DisplayFacebookProfile.Java 
This class will display the user profile on the UI.


Summary :

This application demonstrates the basic of OAuth 2.0 using Apache Oltu i,e how to authenticates the user and retreive the protected resources from Facebook.

Resources :

https://cwiki.apache.org/confluence/display/OLTU/OAuth+2.0+Client+Quickstart

Code download link:
https://drive.google.com/file/d/0B7WKU816EmtaSUw3UmpsWUljWk0/view?usp=sharing

How to register App on Facebook

Steps to create Apps on Facebook :


Registration Page
  • Enter the Display Name. This is required. 
  • Enter Namespace. (Optional)
  • Choose a Category and then click on Create App button. After verifying captcha It will show you the App ID and App Secret which is nothing but ClientId and ClientSecret . Check below screenshot :




  • Select “Settings” and then click on “Advance” tab.
  • Scroll down and enter your callback URL in “Valid Oauth redirect URIs” and then click on “Save Changes button to save your apps.





Congratulation!!! You have created your Apps on Facebook.

Tuesday, February 11, 2014

How to setup of WSO2 Identity Server on windows

What is WSO2 Identity Server ?

WSO2 Identity Server is an enterprise-ready, fully-open source, lean, component-based solution for facilitating security and provides secure identity management for enterprise web applications, services, and APIs by managing identity and entitlements of the user securely and efficiently.
It helps improve customer experience by reducing identity provisioning time, guaranteeing secure online interactions, and delivering a reduced single sign-on environment. WSO2 Identity Server decreases identity management, entitlement management, and administration burden by including role-based access control (RBAC) convention, fine-grained policy-based access control, and SSO bridging.

Downloading the product :
  • In your Web browser, go to http://wso2.com/products/identity-server.
  • If you are a new user downloading WSO2 products for the first time, register and log in.
  • Once you are logged in, click the Binary button in the upper right corner of the page.

The binary distribution contains the Carbon binary files for both Windows and Linux operating systems, compressed into a single ZIP file.

Installing the Identity Server :

Before installing, You must set your JAVA_HOME environment variable.
  • Download the latest version of the Identity Server as described above
  • Extract the archive file to a dedicated directory for the Identity Server, which will hereafter be referred to as <WSO2_HOME>.

Starting the Server :

To start the server, you need to run the script “wso2server.bat” which is under $WSO2_HOME/bin folder.
Once the server has started, you can see the Management Console by opening a Web browser and typing in the management console's URL. You can check the URL as the last line in the start script's console. Check the screenshot below :






Use “admin” as username and password to sign in to the Management Console.
By default, The session-timeout value is 15 minutes but you can change this in the $WSO2_HOME/repository/conf/tomcat/carbon/WEB-INF/web.xml file as follows:

<session-config>
<session-timeout>15</session-timeout>
</session-config>

Stopping the Server :

To stop the server, press Ctrl+C in the command window or click the Shutdown/Restart link in the navigation pane in the Management Console.


Resources :
http://wso2.com/products/identity-server/

http://docs.wso2.org/display/IS460/WSO2+Identity+Server+Documentation

How TOPT Works: Generating OTPs Without Internet Connection

Introduction Have you ever wondered how authentication apps like RSA Authenticator generate One-Time Passwords (OTPs) without requiring an i...