用于SSO的PHP + ADFS(通过OAuth)-如何设置ADFS? [英] PHP + ADFS for SSO (via OAuth) - How to setup ADFS?
问题描述
我正在尝试在项目上将 ADFS 用于 SSO 。该项目位于 PHP 上,我正试图为此使用 OAuth 。
那么设置ADFS与OAuth2一起使用的步骤是什么?我对ADFS一无所知,无法在那里获得有关OAuth2设置的任何直接指南。
非常感谢。
我看到这个问题已经很老了。但是,如果其他人愿意
到这里来,我有一些答案应该对2019年3月有所帮助。
我从总体概述开始。
SSO
有些服务的主要重点是提供身份提供程序/ SSO功能(例如Okta,Auth0,Google Cloud Identity,Azure Active Directory,AWS IAM)。
在公司网络中,可以基于AD帐户静默登录用户,而无需通过ADFS输入凭据。
实际上,ADFS支持不同的身份验证SAML,WS-Fed和OAuth之类的协议。但如今,通常服务会实现 OpenID Connect ,它可在 OAuth 2.0协议。
OpenID Connect流
OpenID Connect定义了许多身份验证流。
最可取的是:
-
具有PKCE的授权代码流(单页应用程序,本机应用程序)
如果您使用的是 oidc-client-js ,则应使用 response_type = code 来使用PKCE。
公共本地应用程序客户端必须实现代码交换证明密钥(PKCE RFC7636])
https://tools.ietf.org/html/rfc8252#section-6
注意:尽管到目前为止,推荐使用PKCE作为一种保护本机应用程序的机制,该建议适用于所有OAuth客户端,包括Web应用程序。
https://tools.ietf.org/html/draft-ietf- oauth-security-topics-12#section-3.1.1
-
隐式流被视为不推荐:
客户端不应使用隐式授予和任何其他导致授权服务器在授权中发出访问令牌的响应类型响应
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09
< ol start = 3>
客户凭证流。对于服务到服务的通信。如何配置ADFS?
您可以在 Microsoft Docs:具有ADFS的本机客户端。
如果不使用ADFS,则可以在游乐场中使用PKCE流设置。
JavaScript前端
从不将客户端机密存储在JS前端或移动应用程序等公共应用程序中。
如果您拥有现代化的SPA应用程序(例如Angular或React),则意味着该前端应该只具有 client_id ,以使最终用户能够通过ADFS在浏览器中获取JWT access_token 。您不需要任何 client_secret 。
oidc-client-js 可以帮助您。确保将 code_verifier 与令牌请求一起发送(这意味着您使用的是更安全的PKCE流)。
PHP后端
在PHP方面,您需要验证访问令牌。您可以根据该文章自行实施工作流程。但是最好使用可以在此页面上找到的OpenID认证库(不仅适用于PHP):
https://openid.net/developers/certified/
因此,对于PHP,只有一个: phpOIDC 。
身份验证
OAuth 2.0只能通过身份验证(识别用户身份)来帮助您。
大多数情况下,您可能希望拥有不同的权限不同的用户。 ADFS中的OpenID Connect实现使您能够将AD组映射到令牌声明。因此,您可以在后端解码JWT访问令牌并实现基于声明的授权。
要使用JWT声明,请确保正确验证令牌和颁发者的真实性:
- 使用公钥验证JWT签名
- 检查
签发者(适当的发行者)(身份提供者) - 检查
aud(受众群体)以获取适当的客户ID - 检查
exp(到期时间戳记) - 检查索赔
Im trying to use ADFS for SSO on a project. The project is on PHP and Im trying to use OAuth for this.
So what are the steps for setting up ADFS to work with OAuth2? I have no idea about ADFS and cant get any direct guide on OAuth2 settings there.
Thanks a lot.
I see that the question is quite old. But in case if other people will get here, I have some answer which should be good for March 2019.
Let me start with a general overview.
SSO
SSO could be done with personal Google, Facebook, GitHub, Twitter, Microsoft accounts. After logging in to your account, you can log in to other systems (e.g. WordPress or any other) without password (if other systems integrated with that Identity Provider) and you give the consent (see picture below).
There are services whose main focus is to provide Identity Provider / SSO capabilities (e.g. Okta, Auth0, Google Cloud Identity, Azure Active Directory, AWS IAM).
In the corporate network, the user could be silently signed in based on the AD account without entering credentials via ADFS.
Actually, ADFS supports different authentication protocols like SAML, WS-Fed, and OAuth. But nowadays usually services implement OpenID Connect which works on top of the OAuth 2.0 protocol.
OpenID Connect flows
There is a number of authentication flows that OpenID Connect defines. Most preferable ones are:
Authorization Code Flow with PKCE(single-page applications, native applications)
If you are using oidc-client-js, you should use response_type=code to use PKCE.
Public native app clients MUST implement the Proof Key for Code Exchange (PKCE RFC7636])
https://tools.ietf.org/html/rfc8252#section-6
Note: although PKCE so far was recommended as a mechanism to protect native apps, this advice applies to all kinds of OAuth clients, including web applications.
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.1
Implicit flowconsidered as Not recommended:
Clients SHOULD NOT use the implicit grant and any other response type causing the authorization server to issue an access token in the authorization response
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09
Client credentials flow. For service-to-service communication.
How to configure ADFS?
You can find quite detailed documentation with illustrations for "Native app scenario" at Microsoft Docs: Native client with ADFS.
If you are not using ADFS, you can play with the PKCE flow setup in the playground.
JavaScript frontend
Never store client secrets in public applications like JS frontend or mobile apps. It's not applicable to PKCE flow but just in case.
If you have a modern SPA application (e.g. Angular or React), it means that frontend should have only client_id to enable end-user to obtain the JWT access_token in a browser via ADFS. You don't need any client_secret.
oidc-client-js could help you with that. Make sure that code_verifier is being sent along with a token request (it means that you are using more secured PKCE flow).
PHP backend
And on PHP side you'll need to validate the access token. You can implement the workflow on your own according to that article. But it's better to use OpenID certified library which you can find on this page (not only for PHP): https://openid.net/developers/certified/
So, for PHP there is only one: phpOIDC.
Authentication
OAuth 2.0 can help you only with authentication (to identify the user's identity).
Most probably you would like to have different permissions for different users. And OpenID Connect implementation in ADFS provides you the ability to map AD groups to token claims. Therefore, you can decode JWT access token on the backend and implement claims-based authorization.
To use JWT claims be sure to properly validate the authenticity of the token and issuer:
- Validate JWT signature using public key
- Check
issuerfor the proper issuer (Identity Provider) - Check
aud(audience) for the proper client ID - Check
exp(expiration timestamp) - Check claims
这篇关于用于SSO的PHP + ADFS(通过OAuth)-如何设置ADFS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
