Simultaneous authentication through both redirect and API

kubitre · May 18, 2020, 6:11pm

Hello everyone!

I was faced with the need to somehow authenticate users not only through the redirect mechanism, but also using the API (primarily needed for testing). Maybe you can tell how to implement this similar scheme.

hackerman · May 18, 2020, 7:44pm

Not sure how that would work? Currently, OAuth2 is the only mechanism to get access tokens.

kubitre · May 19, 2020, 6:36am

I mean that users can authenticate by Oauth2, testers and developers can be authenticate by API (will go through the same stage of checks, only without a redirect to the frontend with form login )

kubitre · May 19, 2020, 6:38am

the problem is that you need two ways for authentication, roughly speaking, through Postman and through the Web
If i settinng up that authenticate will be as first redirect into frontend (with form login) that not working for Postman,

kubitre · May 19, 2020, 6:46am

I have stack ory hydra, ory oathkeeper. I write self provider auth, with implement login-consent flow. But, frontend page with auth form placed in another app with main frontend. I think my flow not working, because need implement login page in provider auth where i can understand how i can authenticate and in this case i will have only one needed redirect to oidc =)

kubitre · May 19, 2020, 6:47am

maybe u can get me best practice for this case?

hackerman · May 19, 2020, 12:44pm

You can only use OAuth2 with Hydra, it does not implement any bespoke/closed source flows. Postman does support OAuth2 iirc. You can not disable the redirection in OAuth2!

kubitre · May 19, 2020, 1:08pm

yes, but if redirects will be preparing in oidc provider which i writed, i can create flow for authenticate from POSTMAN and any other programms like postman. That’s no mean that i broke oath2 redirects, i decide using auth from postman like:

Get auth link in public api hydra with client_id, response_type and redirect_url
Get request to this link (redirected into openid provider where i can get login_challenge_
POST request with coockie oauth_… and login_challenge to oidc provider with credentials (process for auth_
After post request hydra redirect to callback address, which can get by code auth access token which i responsed to requested client. This is backend-side auth with oauth

SimonWangJY · May 24, 2020, 6:03am

Hi Kubitre,

I have a similar issue, did you find a way to solve this problem?

i’m wondering how you create the coockie oauth2_consent_csrf and oauth2_authentication_csrf because i added these coockies by myself in client side but always encounter the issue “ The CSRF value from the token does not match the CSRF value from the data store ”. i presume hydra store the coockie value somewhere so it works fine with browser . Do you have any idea or could you please share some of your experience :)? Thank you!

kubitre · May 24, 2020, 1:57pm

Hi SimonWangJY,

I solve this problem by added some logic in my login-consent provider. If request call by browser it works by redirects into my login-consen provider.

In my case it works for browser by:

hydra will REDIRECT to my login-consent provider. And additional hydra enter some cookies for authenticate.
In this case in browser exist some cookies for authenticate operation. User enter credentials and send to login-consent provider. (in my case it’s POST ajax request with Cookies which setting up from cookies storage into request HEADERS)
Login consent provider authenticate or rejected user in hydra (check that user exist in system). if user exist, login-consent accept request in hydra and user will redirect to CALLBACK url, which is the my login=consent provider.
After alll, login-consent provider getting from hydra access token and other info by code in callback request from hydra

Case for POSTMAN like authenticate:

User go to hydra by GET request. Hydra will redirect to login-consent and this request will setting up cookies (csrf tokens) into cookies storage
User transimite to login-consent user credentials. And also, user transmite in request csrf tokens from cookies storage.
Login-consent authenticate or rejected request. After all accept or reject request in hydra by REST API.
Hydra redirect request into CALLBACK which is my login-consent
Login-consent getting information and tokens from hydra and response to client which call this request.

kubitre · May 24, 2020, 2:01pm

Solution for working with POSTMAN and anything else http clients IT’S only for DEVELOP MODE. This case not used for real production in my company.

SimonWangJY · May 24, 2020, 5:05pm

thank you very much for your information and it inspires me a lot. Because in our project we wish to get the token from an api by user credential for develop mode, this is what i did:

use one api call to get the challenge ID and csrf token from cookie. if user credential is valid then it will return the challenge ID and oauth2_authentication_csrf cookie
the second api will accept the login request and also add the csrf token into header so it can redirect to the consent provider and in the end get the required token.

The reason i separate two apis is because i cannot pass the login credential like user name and password to the login provider without open the browser. Cheers