Disclaimer: I work for Auth0 (now Okta)
On 7/3/22 9:40 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
It seems any kind of dual auth will need a security app running on YOUR server saving toikens, logins etc etc
Not necessarily. With Auth0, the IDP runs on Auth0's server. You are responsible for storing ID tokens, access tokens, and refresh tokens in your app. There are ways of doing this fairly securely, even with desktop apps or mobile devices, where you don't have a secure backend.
this is what lead to microsoft, gmail etc having their own api which will only work for them
If I understand this correctly, Google et al provide an MFA API for apps that want to handle auth themselves, instead of going the OIDC/OAuth2/SAML route. They also provide standards based protocols, like OIDC.
That's what I was hinting at above - adopting OIDC makes things easier than trying to bolt on security (via some MFA API).
this is also (mainly because of https authing the device) what makes it hard to proxy oauth2 etc
This is definitely a pain point. You can either open up a browser from the device, or on constrained devices, use device flow (display a URL, user visits that URL on their laptop, device grabs confirmation from the IDP that they did). Neither one is completely elegant, but opening a browser on a mobile device is far less intrusive than you might think.
5.7. Authenticating using C.A.S. ...
basically the reality is every server will have it's own token base etc thus preventing any kind of a standard.
I'm not familiar with C.A.S. I don't have any clients that I know of using it, so I can't comment on it. But the JWT token spec is now common, and is a standard. Also the SAML spec. I see more OIDC, but also a lot of SAML.
Happy IAM Sunday to you too!
j