Integrating your own users with WOW (for partners)

WOW is built on latest Microsoft technologies and it benefits from its industry wide technology standards support. Two of these standards are OAuth2 and OpenID Connect. Both of them are used widely for integrating third party authentication providers to applications and WOW uses them to integrate with Facebook, Google, Twitter and MetOffice WAVE.

This article is meant to explain our partners how they can integrate their own existing user databases with WOW easily.

• What is OAuth?
• What is OpenID Connect?
• WOW and OpenID Connect
• OpenID Connect Products and Services

What is OAuth?

The best description for OAuth is on its Wikipedia page:

OAuth is an open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords. This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.

OAuth is one of the current industry standards when it comes to integrating third party login providers. It supports multiple scenarios and authentication flows to make integration possible. But OAuth is not pretty straightforward to implement and it can get pretty complex, so it is commonly complimented with OpenID Connect to simplify the process.

What is OpenID Connect?

Here is the OpenID Foundation's own description about OpenID Connect:

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

See http://openid.net/connect/faq/ for a set of answers to Frequently Asked Questions about OpenID Connect.

WOW and OpenID Connect

WOW is based on latest Microsoft .NET technologies, so it benefits from out-of-the-box OpenID Connect support as well as many others. As partner, if you wish your users to be able to login WOW with their own username and passwords, rather than a new one, you can follow the steps below:

• Create/Use an OpenID Connect service to provision your users. Check out OpenID Connect Products and Services section for server suggestions.
• Create a Client/App/Consumer within your OpenID Connect service for WOW.
• Contact us with your newly created Client/App/Consumer key and secret info.

Our team can check your server requirements and suggest you improvements as well. Based on the straightforwardness on implementation, WOW can easily integrate with your system and users can start enjoying WOW.

OpenID Connect Products and Services

In this section, you can find our suggestions (ordered by compatibility with WOW) based on the list that OpenID Connect provides. You can access the full list through http://openid.net/developers/libraries/.

Cloud based solutions

• Microsoft Azure Active Directory includes OpenID Connect identity provider support.
• License: Commercial
• Relying Party: No
• Identity Provider: Yes

• Amazon Web Services supports OpenID Connect
• License: Commercial
• Relying Party: Yes
• Identity Provider: No

• Auth0 (cloud and non-cloud) version includes OpenID Connect Identity Provider support
• License: Commercial
• Relying Party: Yes
• Identity Provider: Yes

• WSO2 Identity Server includes identity provider and sample relying party support.
• License: Apache 2.0
• Relying Party: Yes
• Identity Provider: Yes

On-premise solutions

• IdentityServer3
• License: Apache 2.0
• Relying Party: No
• Identity Provider: Yes
• Target Environment: OWIN/Katana

• IdentityServer4
• License: Apache 2.0
• Relying Party: No
• Identity Provider: Yes
• Target Environment: ASP.NET Core

• Nimbus OAuth 2.0 SDK with OpenID Connect extensions
• License: Apache 2.0
• Relying Party: Yes
• Identity Provider: Yes

• Apache Oltu is an OAuth protocol implementation in Java. It also covers others “OAuth family” related implementations such as JWT, JWS and OpenID Connect.
• License: Apache 2.0
• Relying Party: Yes
• Identity Provider: Yes
• Target Environment: Apache

• phpOIDC is a PHP implementation of OpenID Connect, developed by Nomura Research Institute. It also includes the JWT, JWS, and JWE support.
• License: Apache 2.0
• Relying Party: Yes
• Identity Provider: Yes
• Target Environment: Apache, nginx

• A library for implementing an OAuth2 Server in PHP. Has been extended to support OpenID Connect identity provider functionality.
• License: MIT License
• Relying Party: No
• Identity Provider: Yes
• Target Environment: PHP