June 5, 2018 at 10:06 am #22201
we have a dedicated microservice which handles our users DB, it includes usernames + passwords and we’d like to use this MicroService for authentication when logging in with openAM using Rest API, is this supported? or do we have to develop a custom authentication method? ( it will be used alongside openIG)
Thanks!June 5, 2018 at 1:04 pm #22216Bill NelsonParticipant
Just so I am clear, you are asking if OpenAM can use an external DB as an authentication module, similar to the following:
Client –(REST)–> OpenAM –(JDBC)–> DB Microservice
If so, then the answer is yes. You can configure a database for authentication in this manner (assuming it is a standard database and you have the appropriate drivers).June 5, 2018 at 1:06 pm #22217
where can i find a guide how to do this? thanks!June 5, 2018 at 1:11 pm #22218
also, my question was instead of authentication against a db -> can i configure it to authenticate against a rest api service, a service/microservice that receives a username+password and simply returns true/false.
can this be done?June 5, 2018 at 5:54 pm #22225
Turning Bill’s example around, do you mean you want:
Client –-(un+pwd)–-> OpenAM –-(un+pwd)-–> Microservice REST API –(un+pwd)–> DB
If so, that’s also possible, but requires a custom authentication module to query your micro service REST endpoint. It would return HTTP 200/HTTP 401 to the client rather than the true/false returned by the micro service.
-AndyJune 12, 2018 at 3:10 pm #22282
okay, suppose i did this, what about OAuth2? i mean, if i set up OpenAM to be an OpenID connect authorization server, i would need it to return an email/access token to the secured resource (the service behind the OpenIG proxy), this wouldn’t be supported because my Microservice does not have access to the openAM – will not be able to generate access tokens
To be clearer, this is the scenario in my head when trying to access a secured resource behind OpenIG’s proxy:
1. attempt access -> unauthenticated -> redirect to OpenAM
2. login to openAM, but instead of verifying user+pass from the datastore, the verification is done against my Microservice
3. the microservice responded with 200/true -> generate access token
4. using a headerfilter, send the access token/email down the stream to the protected resource
5. Voila, you’re authenticated.
is this possible using your technologies? thanks!June 27, 2018 at 9:53 am #22403
any updates regarding this?
thanks!June 28, 2018 at 10:53 am #22415
I think that should be possible. The key is, as said above, having a custom authentication module to do steps 2 and 3 of your scenario. OAuth2 isn’t an authentication protocol – OpenAM will enforce that access to the authorize endpoint only succeed if the user is authenticated, but the actual authentication is abstracted from this, and could have been achieved using any of the out of the box modules, or a custom one that checks against your microservices.
-AndyJune 28, 2018 at 11:04 am #22416
Thanks a lot Andy, all clear now regarding the custom authentication module.
Can you please elaborate on the difference between creating a custom authentication module and simply creating a custom login url template? are they two totally different thing? from what I understood both could be used to authenticate users externally. Am i correct to assume this?
Thanks!!June 28, 2018 at 3:41 pm #22420
As per replies in your other thread. Yes, a custom auth module and a custom login URL template are totally different things.
If you want to use OAuth2 flows with an external login page, you need to add a custom login URL template to the OAuth2 provider config in OpenAM. AND you need to implement a custom login page (app) that the URL template points to, the template won’t do anything on its own. That login app authenticates a user with OpenAM using REST. That could be a simple username/password auth against OpenAM’s user store, or a custom auth module that authenticates against your microservice.
You must be logged in to reply to this topic.