6 Replies Latest reply on Apr 3, 2014 4:06 AM by maxsap

    Picketlink public token restfull web service

    maxsap

      Hello, let me start by saying sorry if those questions seems stupid, I tried my best to resolve those questions from the documentation.

      I am new to picket link and to security in general and I would like some guidance.

      I would like to start working on a project that uses a restfull web service in the back-end and supports different clients to authenticate and interact with it, using different authentication methods.

      Currently I have implemented a sample that is based on the RBAC and ticket-monster examples so its using username and password to authenticate a user, by default when a user is created he is assigned a role that is then used for the role filtering.

      The ideal scenario would be:

      • User signs up on the service using username password
      • he is assigned a public token which he can also use to authenticate
      • when using the public token instead of using a cookie the clients are served with a digest that they need to include in every call.

       

      I would like to offer a service where the user can use his public token to programatically interact with my service, but also can log-in from a web interface using username password pairs.


      So my questions are:

       

      • Does picket link supports something like that?
      • Is there a way for picketlink to identify the session not from cookies but for example from a custom header or path parameter? I have tried setting the authentication digest as param on the filter in the web.xml but this didn't do the trick.
      • how can I generate a token with limited expiration time? I know that this is possible with SAML but I would like something simpler, like most APIs do where you get a token and authenticate on each call.
      • Is is possible to authenticate on each call and not create sessions?

       


      Sorry for the length of my questions, I have been searching for a week through the documentation and on the web but did't find the any hint.

       

      best,
      Maximos
        • 1. Re: Picketlink public token restfull web service
          maxsap

          After 8 days and not a single answer for any of the questions?

          • 2. Re: Picketlink public token restfull web service
            pcraveiro

            Hi Maximos,

             

                 I think we have a quickstart [1] that can be useful for you.      

             

                 Basically, this example is about an authentication endpoint providing both username/password and token based authentication. However, the Identity bean is session-scoped, what means you'll have a session for each user. We are currently discussing [2] a stateless alternative to the current Identity bean implementation. But for now, if you want a stateless authentication you should use the IdentityManager bean directly to authenticate your users.

             

                 Unfortunately, we don't have any example application about how to use the IdentityManager bean directly to provide authentication. But we're covering some important bits of the Credential API in our documentation [3]. There you can find how to use the PicketLink IDM directly to update and validate credentials, as well how to provide your own credential types.

             

                 Regarding the token, maybe JWT [4] can be an option.    

             

            [1] jboss-picketlink-quickstarts/picketlink-authentication-rs-endpoint at master · jboss-developer/jboss-picketlink-quicksta…

            [2] [PLINK-400] Stateless behavior to the Identity bean - JBoss Issue Tracker

            [3] PicketLink Reference Documentation

            [4] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

             

            Cheers.
            Pedro Igor

            • 3. Re: Picketlink public token restfull web service
              maxsap

              Hello Pedro,

               

              Thank you for your reply, I have seen the example and I am using it, in combination with an AuthenticationSelector so I am examining the http request and if a token is set I am using a different Authenticator to perform the validation.

              The problem with the example is that it doesn't really show (at least for a primer as me) how exactly to use the IdentityManager to perform the authorization.

              So for example how do I bind the user to both the password and the token?

              My current approach is to set the token as an attribute bound to the user and then I need the email and the token in order to authorize the user, is this a valid approach because it feels redundant?

              Also another thing in question is, even if I use directly the IdentityManager isn't a new session created on every request?

               

              best,

               

              Maximos.

              • 4. Re: Re: Picketlink public token restfull web service
                pcraveiro

                Hi Maximos,

                 

                     First of all, we had some progress with PLINK-400. Which means you'll be able to use a stateless version of the Identity bean. This RFE is targeted to 2.6.0.CR2, which will be released soon. But here are some answers:

                So for example how do I bind the user to both the password and the token?

                   

                     PicketLink IDM allows you to bind different credentials types for a single user. To do that you just need to update the credentials for a specific user using these different types. Here is an example about how to update both password and a custom token.

                 

                       Token token = new Token("123");
                        
                       identityManager.updateCredential(user, token); // update using your custom token credential type
                
                       Password password = new Password("maximos");
                
                       identityManager.updateCredential(user, password); // update using the built-in password credential type
                

                 

                     Please, take a look at this code [2]. It is a good example about how to extend PicketLink IDM to support a custom credential type. This code is basically testing the configuration for custom credential types and handlers. For more details about how to store your custom credential types, please take a look at our documentation about the Credential Storage Interface. You may also look at the Two-Factor Authentication Quickstart [1]. There you are able to authenticate using both your username/password or TOTP.

                 

                My current approach is to set the token as an attribute bound to the user and then I need the email and the token in order to authorize the user, is this a valid approach because it feels redundant?

                     I would suggest you to extend PicketLink IDM to represent your token using a specific type. So you don't need a custom Authenticator to support your token.

                 

                Also another thing in question is, even if I use directly the IdentityManager isn't a new session created on every request?

                     No, the Identity Manager is request scoped.


                    In a nutshell, I think PLINK-400 will make your life easier. I'll push some changes today to PicketLink. I'm very interested in your use case, so fell free to join us on freenode, #picketlink channel. There we can work together to get your use case working and write a documentation for others with similar requirements. What do you say ?

                 

                [1] jboss-picketlink-quickstarts/picketlink-authentication-two-factor at master · jboss-developer/jboss-picketlink-quickstar…

                [2] picketlink/modules/idm/tests/src/test/java/org/picketlink/test/idm/credential/CredentialHandlerConfigurationTestCase.jav…

                 

                Cheers.
                Pedro Igor

                • 5. Re: Picketlink public token restfull web service
                  pcraveiro

                  Hey Maximos,

                   

                      Here is an example about how to inject a stateless version of the Identity bean.

                   

                          https://github.com/picketlink/picketlink/blob/master/tests/src/test/java/org/picketlink/test/authentication/StatelessAuthenticationTestCase.java

                   

                      If you want to try it out, you can clone and build upstream/master.

                   

                  Thanks.

                  Pedro Igor

                  1 of 1 people found this helpful
                  • 6. Re: Re: Picketlink public token restfull web service
                    maxsap

                    Hello Pedro,

                     

                    I say that in the past I had really bad experience with JBoss support, you just changed that ,

                    Of-course I am interested, I was planning also to release some github for anyone that tried to accomplish the same functionality, so the face that you are willing also to have some documentation about that is really cool.

                    So I guess I will see you on #picketlink

                     

                    Cheers,

                     

                    Maximos.