1

I have following requirements for system:

  1. My admins authenticate on client servers
  2. Over http
  3. Central authorization server

My solution is based on O-Auth:

  1. user is redirected to authentication server to check his creditals (certificate / password), server saves auth-token in db with timestamp and userId
  2. server redirects user back to client with auth-token in url
  3. client connects to server over https passing auth-token, it's secret and id
  4. server checks if client creditals are ok, and if it has non-expired auth-token in db (auth-token is removed then)
  5. if so, it takes user claims and pass it back to client server
  6. client server then uses cookie to auth user

Is it good idea? Maybe something like this is already available (I'm using C# mvc)?

Is passing auth-token through http huge risk?

user83288
  • 13
  • 2
  • 2
    This looks like an SSO solution, so I'd take a look at http://openid.net/ no need to reinvent the wheel here. – David Zech Aug 12 '15 at 16:19

1 Answers1

2

This isn't a good idea. Using OAuth 2.0 or OAuth 2.0ish protocols for Authentication isn't correct. OAuth 2.0 was designed as an Authorization protocol. Using OAuth 2.0 as an authentication protocol carries a handful of security implications. OpenID Connect was developed to fix these deficiencies in OAuth 2.0 so OAuth 2.0 can be used for authentication. The OpenID Connect foundation recommends using https://github.com/IdentityServer/IdentityServer3 for OpenID Connect in C#.

Additionally, if you do end up implementing your solution passing the auth token using HTTP and not HTTPS is a big security risk. If an attacker can intercept the token in transmission while the server is redirecting the user back to the client, the attacker can use the token to authenticate as the user without needing the users password. Every part of an OAuth 2.0 flow needs to happen over HTTPS.

Justin Moore
  • 769
  • 4
  • 9
  • "Using OAuth 2.0 as an authentication protocol carries a handful of security implications" - what are (a few of) these implications, exactly? – mfsiega Aug 12 '15 at 21:25
  • http://oauth.net/articles/authentication/ is the most comprehensive article on why OAuth 2.0 is bad for authentication. – Justin Moore Aug 13 '15 at 02:37
  • @Justin Moore What is good place to learn about OpenIdConnect and how to configure IdentityServer properly? Also it feels like cannon used to hunt the fly, because I don't need things like user granting permission for site. My server administrator should assign permissions, not the user himself. – user83288 Aug 13 '15 at 15:12