Planning for securing applications and services

As an OAuth2, OpenID Connect and SAML compliant server, NQRust-Identity can secure any application and service as long as the technology stack they are using supports any of these protocols.

Most of the support for some of these protocols is already available from the programming language, framework, or reverse proxy they are using. Leveraging the support already available from the application ecosystem is a key aspect to make your application fully compliant with security standards and best practices, so that you avoid vendor lock-in.

For some programming languages, NQRust-Identity provides libraries that try to fill the gap for the lack of support of a particular security protocol or to provide a more rich and tightly coupled integration with the server. These libraries are known by NQRust-Identity Client Adapters, and they should be used as a last resort if you cannot rely on what is available from the application ecosystem.

Basic steps to secure applications and services

These are the basic steps for securing an application or a service in NQRust-Identity.

1. Register a client to a realm using one of these options:

   • The NQRust-Identity Admin Console
   • The client registration service
   • The CLI

2. Enable OpenID Connect or SAML protocols in your application using one these options:

   • Leveraging existing OpenID Connect and SAML support from the application ecosystem
   • Using a NQRust-Identity Adapter

This guide provides the detailed instructions for these steps.

Getting Started

The NQRust-Identity Quickstarts Repository (opens in a new tab) provides examples about how to secure applications and services using different programming languages and frameworks. By going through their documentation and codebase, you will understand the bare minimum changes required in your application and service in order to secure it with NQRust-Identity.

Also, see the following sections for recommendations for trusted and well-known client-side implementations for both OpenID Connect and SAML protocols.

OpenID Connect

Java

• Wildfly Elytron OIDC (opens in a new tab)
• Spring Boot (opens in a new tab)

JavaScript (client-side)

• NQRust-Identity JS adapter

Node.js (server-side)

• NQRust-Identity Node.js adapter

C#

• OWIN (opens in a new tab)

Python

• oidc (opens in a new tab)

Android

• AppAuth (opens in a new tab)

iOS

• AppAuth (opens in a new tab)

Apache HTTP Server

• mod_auth_openidc (opens in a new tab)

SAML

Java

• NQRust-Identity SAML Galleon feature pack for WildFly and EAP

Apache HTTP Server

• Configuring the mod_auth_mellon Apache Module

Terminology

These terms are used in this guide:

• Clients are entities that interact with NQRust-Identity to authenticate users and obtain tokens. Most often, clients are applications and services acting on behalf of users that provide a single sign-on experience to their users and access other services using the tokens issued by the server. Clients can also be entities only interested in obtaining tokens and acting on their own behalf for accessing other services.
• Applications include a wide range of applications that work for specific platforms for each protocol
• Client adapters are libraries that make it easy to secure applications and services with NQRust-Identity. They provide a tight integration to the underlying platform and framework.
• Creating a client and registering a client are the same action. Creating a Client is the term used to create a client by using the Admin Console. Registering a client is the term used to register a client by using the NQRust-Identity Client Registration Service.
• A service account is a type of client that is able to obtain tokens on its own behalf.