How to use OpenID or OAuth for internal first-party authentication?

Richard picture Richard · May 10, 2013 · Viewed 8.8k times · Source

I am working on an internal authentication system for users of a set of of RESTful web applications. Our intention is that a user should be able to sign-on once via a web form and have appropriate access to all these RESTful applications in our domain, which may be distributed in a private cloud across many servers. (I understand already that having a single authenticated session is not aligned with a pure RESTful approach, but this is a usability requirement.)

The applications themselves will be written in a variety of programming languages so a language-neutral approach is required. It was suggested to me that we might use OpenID or OAuth or a similar framework to handle the authentication but my understanding is that these are intended for third-party services and not the first-party services that would share data on our internal system. In this case, we might have a central provider service with all the other applications treated as third parties (or relying parties).

Questions:

  1. Are OpenID/OAuth suitable for authentication among first-party services?
  2. If so, how would one be advised to set up authentication for this use case?
  3. Wouldn't a user have to grant individual permission to each first-party server that they wanted to use, just as they would need to grant individual permission to any third-party server? I think this would violate the requirement of having a single sign-on for accessing all the first-party services.
  4. Are there good examples of sites supporting this first-party use case?
  5. What would be a good alternative framework for this first-party use case?

Answer

divyanshm picture divyanshm · May 11, 2013

You do not need OAuth for SSO services.

The primary use/advantage of OAuth is, as you know already, granting access to a 3rd party app to access/use your resource in a controlled manner.

Rather than having an authentication/authorization server that you would need for OAuth, why not use a single log in service across all your APIs. An OAuth access token is totally different from what you need.

As far as I understand, what you can have is something like OAuth in a way that your server vends out tokens to the app. (I'm assuming that it's a totally internal system, so tokens cannot be misused).

So basically what I'm proposing is:

  1. When an app tries to access the first API it's redirected to a web-form.
  2. The user enters credentials and is taken to the DB for verification. Let there be a service that generates a token for the user/app
  3. Next API access request would be made with that token - the token uniquely identifies the app
  4. Depending on the level of security you need you can sign some text using HMAC and send it as token, or if its totally internal just generate a unique identifier for the app/user and send it to other API
  5. On receiving the token, each service first calls the main server with the token and internally fetches the corresponding customer/user ID and performs the required function.

In short separate the login + token generation + token verification into a different module. All APIs should use this module for login/token verification.

What I have proposed here works like OAuth but all security aspects have been stripped down since you want to use it in a private cloud.