DSP as an OAUTH2/SAML provider


#1

Is it part of the roadmap to have the DSP also function as an OAUTH2/SAML provider?

Given that we have multiple applications authenticated by DSP, when working with frameworks like Meteor and such, user account synchronization is standardized around OAUTH.

We’d have a lot of traction and create greater interoperability between apps (public-facing ones) if we could get people to use a single login across applications similar to OAUTH.


#2

Hey Ashwin,

Can you clarify your requirement a bit with a simple example, say with two apps and one user logging in with SSO? What would the ideal implementation look like?

Thanks,
Ben


#3

Sure. We are currently using DSP as a core platform for creating a suite of apps for use by our group of users (curated, not open registration). We also want to create public facing sites where registration does not necessarily mean registration with our core DSP platform. At the same time we want to allow users of our DSP platform to easily port their login credentials from DSP into the new site, so that we can offer some “special” privileges for them.

To try to explain this better, we have 2 platforms, A and B. A is a DSP, and B isn’t. B allows any to register, while A is a curated membership. We want to allow users from A to log into users of B using Oauth privileges, similar to how we can use Google/Facebook/Twitter to login into 3rd party sites.

What I’m hoping is for a way to have DSP function like a simpler form of OneLogin (https://www.onelogin.com/).


#5

Just re-reading through some of the DSP docs and blog entries, I came across this article: http://blog.dreamfactory.com/blog/bid/341114/OAuth-Tutorial-Part-Two

So, DSP can forward OAuth2 requests to external providers. The question is can it function as an OAuth provider on its own using it’s internal user access authentication details?


#6

Hey Ashwin, sorry for the delay. This capability will ship in version 2.0. early next year.


How to create Custom portals?
#7

Hi Ben, have you guys made any progress on DF acting as a SAML provider?


#8

Hi Martin, SAML support didn’t make it into the 2.0 release. We had to focus on OAuth, LDAP, and active directory first.

Can you explain your use case with SAML?

Thanks,
Ben


#9

Hi Ben, sorry was typing in a hurry - meant OAuth server.
So where DSP acts as an OAuth provider for 3rd party web applications (for example www.zendesk.com) and a custom application built on top of DSP. Where DSP then provides the place where all customer registrations take place and it then manages their subscription to other proprietary and 3rd party services.

Similar to what IDaaS Services like Okta provides?


#10

Version 2.0 lets you easily add a third-party OAuth provider to authenticate into DreamFactory. For example, you can create a Twitter app, set up all the OAuth config in Twitter, and then have end users authenticate into an app you build on DreamFactory using their Twitter creds.

DreamFactory 2.0 itself provides authentication with JSON web tokens (JWT), but is not itself a native OAuth provider for other services. We are looking into that use case in a later release.


#11

Does this mean 2.0 will support api key type access control for mobile devices, as we see used in mobile apps running under multi tenanted SaaS providers? Because I cannot see any way to set that up currently for developer clients who wish to use my DSP as a service in their own mobile apps. I need to constrain and secure their access to the API without requiring logins and passwords .


#12

Yes, that’s correct. In 2.0 an “app” is really an API key and you can give that API key directly to developer clients without requiring logins and passwords.


#13

And can these api keys be generated programatically? My use case looks like this:

A developer sets up an account in my DSP application, I generate an api key or token of some sort for their app, they add this to the code they are putting in their mobile app, and that key is used during calls to my DSP application to associate the calls securely with that developer and mobile app, without the end user having to do anything.


#14

Yes, 2.0 will support your use case.

To be clear, each API key is not tied to a developer per se, the key is generated for the particular app which has a role granting permissions. You can give this key to the person (or people) building the particular app to associate the runtime calls securely with the mobile app, and the end user doesn’t need to know or do anything. This is basically like Parse, if you’re familiar with that product.


#15

Thanks, that sounds ideal, can’t wait to get it up and running.

Just clarifying here, you say each api key is not tied to a developer per se, does that mean there is one api key for my DSP application that gets passed out to all my users, or do I generate a unique key or token for each new iOS or Android app that my users/developers want to connect to my DSP? I haven’t used Parse, but I imagine they work similarly to say flurry or crashlytics, which automatically generate a unique token that gets incorporated into the developers own code on the mobile device and is passed back to the server. I’m sorry if this sounds confused, this aspect is new to me.

I have a bitnami install of dreamfactory on AWS, my application is not in production yet so I can use the 2.0 beta, is it going to be a monster job to update that to 2.0 when it comes out?


#16

You’ll generate a unique token for each new iOS or Android app that your users/developers want to connect to your DSP.

As long as you’re currently on a 1.9.x release, the upgrade to 2.0 won’t be a big deal. We’ll have migration scripts and instructions and our support team can assist if you hit any snags.


#17

Hi,

I’m new to DPS and have been reading the forums / authentication documentation. However, I still require some help.

I’m in the process of building a hybrid app and looking at the available authentication methods, I’m concerned about security. Namely, authentication credentials being stored in javascript and then be exposed over the wire, even though all communication is via SSL, the risk is still relevant.

I was hoping to be able to authenticate with DSP using OAUTH2, is this possible? Or are there any secure methods you can recommend?

Any help would be much appreciated.


#18

OAuth2 support is around the corner in version 2.0 of DreamFactory. We expect to deliver a public beta on GitHub in July, almost there.


#19

Thanks Ben, looking forward to the beta release