This week's book giveaway is in the Programmer Certification forum.
We're giving away four copies of OCP Oracle Certified Professional Java SE 11 Programmer I Study Guide: Exam 1Z0-815 and have Jeanne Boyarsky & Scott Selikoff on-line!
See this thread for details.
Win a copy of OCP Oracle Certified Professional Java SE 11 Programmer I Study Guide: Exam 1Z0-815 this week in the Programmer Certification forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Paweł Baczyński
  • Piet Souris
  • Vijitha Kumara

What is the reason we need OIDC application for Token Authentication etc ?

 
Ranch Hand
Posts: 570
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Expert,

Till now, I am still struggling with implementing JWT in my web App

Some people advise me just to use Spring Boot Security but I need advise if it is possible just to use the Spring security module to integrate into a servlet and jsp Web App


And then there is the part when after verify the username and password, we need to generate a token and then pass it to the user.  Why can't we just pass it to the user using email and verify from there ?

And then this article mentioned that :

https://developer.okta.com/blog/2018/10/16/token-auth-for-java

Configure Your Okta OIDC Application for Token Authentication in Java so why we would need a Okta OIDC in this case.

Hope someone can kindly explain all the above to me.

Thanks alot
 
Saloon Keeper
Posts: 10783
230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

tangara goh wrote:And then there is the part when after verify the username and password, we need to generate a token and then pass it to the user.  Why can't we just pass it to the user using email and verify from there ?


What do you mean by this? You won't be verifying anything. That's the job of the authorization server. Are you implementing an authorization server or a web application? And why would you want to send a token by e-mail?

so why we would need a Okta OIDC in this case.


You would use OpenID Connect if you don't just want to do things on the resource server on behalf of the user, but you want to retrieve the identity of the user (name, e-mail, maybe a birth date or profile picture) and use that in your web application.
 
tangara goh
Ranch Hand
Posts: 570
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:

tangara goh wrote:And then there is the part when after verify the username and password, we need to generate a token and then pass it to the user.  Why can't we just pass it to the user using email and verify from there ?


What do you mean by this? You won't be verifying anything. That's the job of the authorization server. Are you implementing an authorization server or a web application? And why would you want to send a token by e-mail?

so why we would need a Okta OIDC in this case.


You would use OpenID Connect if you don't just want to do things on the resource server on behalf of the user, but you want to retrieve the identity of the user (name, e-mail, maybe a birth date or profile picture) and use that in your web application.



Hi Stephan,

I read thru some other articles on about using jjwt - specifically by OKTA Hazelwood and there is a github which contains all the codes.

Now, Okta also provide all sorts of Authorisation and Authentication based on their website : https://developer.okta.com/

My question is why would we need to use Okta or a OpenId, since we can use the library - jjwt available to do all the token verification ourselves etc.

 
Stephan van Hulst
Saloon Keeper
Posts: 10783
230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JJWT implements several standards that have to do with sending signed or encrypted information over the web using JSON data structures. It is not a full OAuth2 implementation, although it can be used to implement OAuth2.

Okta implements OAuth2 (maybe even using JJWT, who knows?).

OpenID Connect is a standard built on top of OAuth2, it is NOT software. Okta also implements OpenID Connect.

So, if you want to use OAuth2 in your application, use a framework that implements it, maybe Okta, maybe something else.

If you want to use JWT for something other than OAuth2, you could use JJWT, if there is not another framework that's more appropriate for your use case.

Use an OIDC implementation when you not only want to log in to your application, but you also want to use a user's personal information in your application.
 
tangara goh
Ranch Hand
Posts: 570
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:JJWT implements several standards that have to do with sending signed or encrypted information over the web using JSON data structures. It is not a full OAuth2 implementation, although it can be used to implement OAuth2.

Okta implements OAuth2 (maybe even using JJWT, who knows?).

OpenID Connect is a standard built on top of OAuth2, it is NOT software. Okta also implements OpenID Connect.

So, if you want to use OAuth2 in your application, use a framework that implements it, maybe Okta, maybe something else.

If you want to use JWT for something other than OAuth2, you could use JJWT, if there is not another framework that's more appropriate for your use case.

Use an OIDC implementation when you not only want to log in to your application, but you also want to use a user's personal information in your application.



Hi Stephan,

I am quite confused about your reply.

My use case is just allowing certain users to have access to a few REST endpoints(but I will start with one first)


So, should I create my own authentication using JJWT or JOSE4j or should I just use OPENID server - https://connect2id.com/products/server or OAuth2(I know they have a free tier) and registered an account and let them do the authentication before forwarding to the end points ?

What is the safest ?
 
Stephan van Hulst
Saloon Keeper
Posts: 10783
230
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Once again, OpenID Connect is for authenticating a user, not for authorizing them to use your endpoints. It's only appropriate to use when your application uses a user's name, birthday, profile picture or other personal information.

JWT is for sending tokens across the web and verifying them. It doesn't say anything about what the tokens are used for.

OAuth2 is for authorizing a web application client to perform actions on behalf of the user, without the user having to share their credentials with the web application. It doesn't say anything about how the information between the authorization server, the client and the web application server is exchanged. This is what JWT may be used for.

I can't tell you what's appropriate to use if you don't tell us what your requirements are.

  • Does your web application store user credentials, such as a user name and password hash?
  • Do you want to authenticate a user through a third party identity provider, such as Facebook or Google?
  • Do you want clients written by a third party to be able to call your REST API?
  • Do you want a user to be able to log out?

  •  
    tangara goh
    Ranch Hand
    Posts: 570
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator

    Stephan van Hulst wrote:

    I can't tell you what's appropriate to use if you don't tell us what your requirements are.

  • Does your web application store user credentials, such as a user name and password hash?


  • I would be storing the username and password in database, storing the username and hashed password. Is this good enough?

  • Do you want to authenticate a user through a third party identity provider, such as Facebook or Google?


  • I do not want to use Facebook or google unless it is easy for me to implement
  • Do you want clients written by a third party to be able to call your REST API?


  • Yes. I would like to have this feature.
  • Do you want a user to be able to log out?



  • Isn’t it better for them to be able to log out? If I let user able to log in, is it safe to let user not log out?
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 10783
    230
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Depends on how long the tokens are valid. If the lifetime of the tokens is shorter than the duration of a typical user session, they will automatically be logged out once they stop using the application for long enough.

    Letting a user log out themselves is a technically more involved operation, because you need a authorization server to invalidate access tokens. This means you can not just verify your own tokens using JJWT.
     
    Run away! Run away! Here, take this tiny ad with you:
    Java file APIs (DOC, XLS, PDF, and many more)
    https://products.aspose.com/total/java
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!