Skip to content

Commit

Permalink
fix: #2487 - SIWA and SIWG (Sign in with Apple-Google), moved to scri…
Browse files Browse the repository at this point in the history
…pt-catalog (#2983)
  • Loading branch information
maduvena authored Nov 15, 2022
1 parent 2f15cf8 commit 402e7ae
Show file tree
Hide file tree
Showing 7 changed files with 139 additions and 337 deletions.
109 changes: 0 additions & 109 deletions docs/admin/recipes/social-login-google.md

This file was deleted.

10 changes: 5 additions & 5 deletions docs/admin/recipes/social-login.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@ tags:
- recipes
---

## Implementing Social logins
## Implementing Social logins
You can use a `PersonAuthenticationType` script to allow users to sign using credentials from popular **Social Identity providers** or **Inbound Identity Providers** like Facebook, Google and Apple. After users authenticate, we provision their Social Identity Provider credentials into the Jans-auth server. No additional username, password, credentials are needed for this user.
1. Facebook
2. [Google](https://github.com/JanssenProject/jans/blob/main/docs/admin/recipes/social-login-google.md)
3. [Apple](https://github.com/JanssenProject/jans/blob/main/docs/admin/recipes/social-login-apple.md)
2. [Google](../../script-catalog/person-authentication/google-external-authenticator/README.md)
3. [Apple](../../script-catalog/person-authentication/apple-external-authenticator/README.md)

Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server.
Following is a high-level diagram depicting a typical flow - user authentication on a Social Identity Platform and subsequent user provisioning on Jans-Auth server.

You can copy paste this sequence in [https://sequencediagram.org/](https://sequencediagram.org/)
```
title Social login
title Social login
Jans AS<-User agent: 1. Invoke /authorize endpoint
Jans AS->User agent: 2. Discovery: Present list of remote IDPs (Google, Apple, FB...)
User agent->Jans AS: 3. Select IDP (e.g. click on button)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,27 @@ tags:
- recipes
---

## Social Login with Apple
## Social Login with Apple

An out-of-the-box feature, the Sign-in with Apple Authentication script is a `PersonAuthenticationType` script which enables a user to sign-in using Apple credentials. After users authenticate using their Apple credentials, their Apple credentials are provisioned into the Jans-auth server.

## Prerequisites
## Prerequisites

- A Jans-auth Server (installation instructions [here](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup#readme))
- The [Sign-in with Apple authentication script](https://github.com/JanssenProject/jans/tree/main/jans-linux-setup/jans_setup/static/extension/person_authentication/AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution);
- A Jans-auth Server installation
- The [Sign-in with Apple authentication script](./AppleExternalAuthenticator.py) (included in the default Jans-auth Server distribution);
- An [Apple developer account](https://developer.apple.com/).

## Configurations at Apple Identity Provider:
You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL.
You will need to configure a service id, linked to your App identifier. For each website that uses Sign In with Apple, register a services identifier (Services ID) and configure your domain and return URL.
1. Under `Certificates, Identifiers and Profiles` --> `Identifiers` --> Click on the `+` button
2. In the `Register a new identifier` select `Service ID`
3. After filling out the description and identifier name, save the Service ID
4. Now edit the saved Service ID and enable the `Sign in with Apple` checkbox and click `Configure` button
5. Configure the Janssen's server's callback url `https://<your.janssen.server>/postlogin.htm` as a `Website URL`
5. Configure the Janssen's server's callback url `https://<your.janssen.server>/postlogin.htm` as a `Website URL`

## Configure jans-auth server

Configure the custom script:
Configure the custom script:
### Properties

The custom script has the following properties:
Expand All @@ -34,7 +34,7 @@ The custom script has the following properties:
|`apple_client_id` |Name of Service ID on developer.apple.com. | `com.company.name`|
|`apple_jwks` | Apple’s public JWK to validate Apple Identity Token | `https://appleid.apple.com/auth/keys`|

To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script)
To update this setting in Jans persistence, follow this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script)

### Enable Sign-in with Apple Authentication script
By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism.
Expand Down Expand Up @@ -67,7 +67,7 @@ Steps:

:memo: **NOTE**

To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`.
To make sure `apple` has been enabled successfully as a default authentication method, you can check your Janssen Server's OpenID Connect configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`. Find `"acr_values_supported":` and you should see `"apple"`.

## Test the feature - Sign-in with Apple
To test , enter the complete URL for authorization in a browser or create a simple webpage with a link that simulates the user sign-in attempt. If the server is configured properly, the first page for the selected authentication method will be displayed to the user.
Expand All @@ -76,8 +76,3 @@ An example of a complete URL looks like this -
```
https://<your.jans.server>/jans-auth/authorize.htm?response_type=code&redirect_uri=https://<your.jans.server>/admin&client_id=<replace_with_inum_client_id>&scope=openid+profile+email+user_name&state=faad2cdjfdddjfkdf&nonce=dajdffdfsdcfff
```





Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
FIDO2 is comprised of the [W3C’s Web Authentication specification (WebAuthn)](https://www.w3.org/TR/webauthn/) and FIDO’s corresponding [Client-to-Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-ps-20170927/fido-client-to-authenticator-protocol-v2.0-ps-20170927.html). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

This document explains how to use the Janssen Auth Server's built-in
[FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/jans-linux-setup/jans_setup/static/extension/person_authentication/Fido2ExternalAuthenticator.py)
to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step.
[FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/jans-linux-setup/jans_setup/static/extension/person_authentication/Fido2ExternalAuthenticator.py)
to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step.

## Prerequisites
- A Janssen Server ([installation instructions](https://github.com/JanssenProject/jans#installation))
- [FIDO2 interception script](https://github.com/JanssenProject/jans/blob/main/docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py) (included in the default Janssen Server distribution);
- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices).
- At least one FIDO2 device for testing, like one of the devices [listed below](#fido2-devices).

### FIDO2 devices
Some well known FIDO2 devices and manufacturers include:
Expand All @@ -24,7 +24,7 @@ Some well known FIDO2 devices and manufacturers include:
- [AuthenTrend](https://authentrend.com/)
- [Apple's built-in Touch ID](https://support.apple.com/en-in/guide/mac-help/mchl16fbf90a/mac)

[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`).
[Purchase FIDO2 devices on Amazon](https://www.amazon.com/s/ref=nb_sb_noss/146-0120855-4781335?url=search-alias%3Daps&field-keywords=fido2). Or, check [FIDO's certified products](https://fidoalliance.org/certification/fido-certified-products/) for a comprehensive list of FIDO2 devices (sort by `Specification` == `FIDO2`).

## Properties
The script has the following properties
Expand All @@ -37,18 +37,18 @@ The script has the following properties

By default, users will get the default authentication mechanism as specified above. However, **using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism**.

1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc.
1. Obtain the json contents of `fido2` custom script by using a jans-cli command like `get-config-scripts-by-type`, `get-config-scripts-by-inum` etc.

e.g : `/opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION` , `/opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7`

2. [Update the custom script](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-custom-scripts.md#update-an-existing-custom-script) and change the `enabled` attribute to `true`

Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users.
Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect `acr_values`, applications can now request FIDO2 authentication for users.

!!! Note
To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect
configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`.
Find `"acr_values_supported":` and you should see `"fido2"`.
!!! Note
To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect
configuration by navigating to the following URL: `https://<hostname>/.well-known/openid-configuration`.
Find `"acr_values_supported":` and you should see `"fido2"`.

## Enable FIDO2 Script as default authentication script:
Use this [link](https://github.com/JanssenProject/jans-cli/blob/main/docs/cli/cli-default-authentication-method.md) as a reference.
Expand All @@ -73,24 +73,24 @@ Below is an illustration of the Janssen Server's default FIDO2 login page:

![fido2](https://github.com/JanssenProject/jans/raw/main/docs/assets/image_fido2.png)

The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/).
The design is being rendered from the [FIDO2 xhtml page](https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml). To customize the look and feel of this page, follow the [customization guide](https://jans.io/docs/admin/developer/customization/customize-web-pages/).

## Using FIDO2 tokens
## Using FIDO2 tokens

### Credential enrollment
FIDO2 device enrollment happens during the first authentication attempt.
FIDO2 device enrollment happens during the first authentication attempt.

### Subsequent authentications
All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.
All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.

### FIDO2 credential management
A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot.
A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot.

![fido2](https://github.com/JanssenProject/jans/raw/main/docs/assets/image-fido2-ldap-structure.png)
Diagram source in mermaid.live
```
graph TD
A[ou=jans] --> K(ou=people)
K --> K1[inum=....]
K1 --> K11[ou=fido2_register]
Expand Down Expand Up @@ -124,7 +124,7 @@ graph TD
K32 --> K321[jansId=....]
K32 --> K322[jansId=....]
K32 --> K323[jansId=....]
```

### FIDO2 discovery endpoint
Expand Down
Loading

0 comments on commit 402e7ae

Please sign in to comment.