# OAuth R&D Initial Findings & Considerations ## Our Approach to this R&D The purpose of this R&D exercise was to explore OAuth implementation options, ascertain the technical scope, complexity and dependancies at a high level ahead of undergoing a more detailed scoping and design process. R&D was carried out through the lens of the OAuth requirements provided by Poplar HARCA (see below). This document outlines our findings and considerations. The implementation of an OAuth service within the existing myHARCA application imposes some nessecary changes, the scope of which are yet to be fully determined. For example, the re-engineering of the Staff Access module. This exercise aims to highlight key dependancies to enable Poplar HARCA to make more informed decisions on how to prioritise OAuth developments. **R&D carried out by:** Carl Barker - Lead Developer Element3 Technology ## Poplar HARCA's Initial Requirements for OAuth | Requirement | Status | Comments | | ----------- | ------ | -------- | |Single Sign On (SSO) - The ability for end users to authenticate to myHARCA and related Poplar HARCA online services via thier existing Google, Facebook or similar popular personal accounts| Completed | Most OAuth service paid tiers offer unlimited social connectors. Service accounts on the provider are required and supplying Auth0 with the connection details | |Two-factor Authentication (2FA) Although not essential from the outset of OAuth implementation, this is a desirebale option as an adiitional layer of security for internal staff and potentially residents| Completed | Two-Factor Authentication is available via both providers but only on higher payment tiers (see below). Multiple methods are available including SMS, email, and Authenicator app | |OIDC/ OAuth Authentication| Completed | | |The chosen OAuth service should allows Poplar HARCA to integrate with websites/microsites that they may either be purchased, developed in house or outsourced in the future. Key is that end users of these services can login with the same credentials and access the widest range of available services possible| Completed | Within the same domain this is possible with all providers on all tiers. To integrate other domains, the professional tiers must be used | |The ability to secure Poplar HARCA's existing and future APIs using an accepted standard authentication method| Completed | This is classed as M2M authentication and is available on all tiers. Limits are imposed, so a re-write would be required the Authentication in the Gateway to store access tokens in state and to refresh when it expires in order to keep usage down | |The potential link of myHARCA portal credentials with Poplar HARCA's VOIP telephony phone system ([8X8](https://www.8x8.com/)) using APIs. The aim being to allow residents to authenticate themselves before being passed to an operator. This is feature is not essential from the outset but a long term consideration in selecting an OAuth service| Incomplete | This requires the inclusion of a third party provider to integrate. Further R&D is required on this component | |Justification and demonstrable diligence for utilising an up to date, industrial standard service for OAuth| Completed | With an industry standard OAuth provider, information on security and compliance https://auth0.com/docs/compliance | # Impacts of OAuth Implementation on myHARCA Portal **IMPORTANT - In order to implement SSO via a service such as Auth0, the current Staff Access authentication method would need a complete rewrite and over haul, due to the way in which staff members authenticate 'as a resident' to view their account.** **The current myHARCA authentication process is as follows:** - When a staff member logs into staff access, the staff member receives an initial access token - Next, when accessing the myHARCA account of a tenant, the system authenticates that tenant to create an additional access token to store in the cookie This is done so the system can utilise all of the same API endpoints for this user and give a near exact representation of the tenant's account to the staff member - These endpoints have overrides where necessary to enable certain 'staff-only' functionality - When a staff member closes the resident account or logs out of staff access, the account holder's cookie is destroyed This is a large consideration for the implementation of an OAuth service to replace the current authentication method in myHARCA, as there is a dependancy on nessecary refactoring of the staff access module. # OAuth Providers Comparison ## Auth0 ### About Auth0 [Auth0](https://auth0.com/) are a global provider of OAuth, User Access Management and Security services. Built for enterprise, Auth0 is a widely accepted standard for OAuth used across a range of sectors including commercial and public sector. ### Available Plans The prices below are based on a 7000 active user count per month, the pricing can be scaled up and down per user case. Items that meet the requirement specifications above are <u>underlined</u>. **Use Cases:** - Free Plan - 7,000 active users - <u>1,000 M2M authentications</u> - Unlimited logins - <u>Access to 2 social media connectors</u> - <u>Compliance certificates</u> - 1 day log retention - Community support only - 3 admins - B2C - User authentication using username and password, social connectors - Essential - **$160 /mo (£116 GBP)** - 7,000 active users - <u>1000 M2M authentications</u> - Unlimited social connectors - Custom domains and email branding - Role management - 2 day log retention - Standard level support - ticket system - Professional - **$1,200 /mo (£873 GBP)** - 7,000 active users - <u>5,000 M2M authentications</u> - Unlimited social connectors - Custom domains and email branding - Role management - External databases - <u>Cross app SSO</u> - <u>Pro MFA</u> - 10 days log retention - Standard level support - ticket system - **Requirements not met** - **AD Integration** - B2B** - Business authentication including SAML, LDAP, AD - Essential - **$1,420 /mo (£1,033 GBP)** - 7,000 active users - <u>5,000 M2M authentications</u> - Unlimited social connectors - <u>3 Enterprise connections (AD)</u> - 50 Organisations - Custom domains and email branding - Role management - <u>Pro MFA</u> - 10 days log retention - Standard level support - ticket system - Professional - **$1,800 /mo (£1,309 GBP)** - 7,000 active users - <u>5,000 M2M authentications</u> - Unlimited social connectors - <u>3 Enterprise connections (AD)</u> - 100 Organisations - Custom domains and email branding - Role management - External databases - <u>Cross app SSO</u> - <u>Pro MFA</u> - 10 days log retention - Standard level support - ticket system - B2E - Enterprise authentication - This use case has a maximum of 500 users beyond which a sales representative must be invoiced. This is beyond the scope of this research phase ****Due to Poplar HARCA's requirement for Active Directory integration and the number of expected users, the B2B plan should be considered as a minimum. This would enable the staff to login to the myHARCA portal and other connected systems using thier existing Poplar HARCA Active Directory user accounts.** ### Implementation Considerations - API authentication - The development documentation available is to an enterprise standard and is descriptive and in depth - There are a number of 'quick start' guides available to get development teams up and running with Auth0. It is straight forward and is available for all major coding languages and frameworks - Auth0 documentation provides sample projects on Github which offers further support for developers who are new to the platform - For the myHARCA portal, Auth0 can be added as a provider in the startup class of the application to give endpoints access to to Authorize attributes using the Auth0 JWT token - The token will be checked against the provided domain to validate - Auth0 provide further SDK libraries that can be imported into application projects for deeper integration - Portal backend implementation - **Within the myHARCA portal this implementation would replace the current basic API authentication used between the Gateway API hosted on MW-01 (middleware server) and the portal** - **The authentication on the Gateway would need to be re-engineered. There is a dependency on re-writing the Gateway application that serves as the middleware between the portal and Poplar HARCA APIs to utilise Auth0 Authentication tokens more effectively. This can be done by storing the access token in local state and be reusable, as the M2M authentication requests are limited** - Front-End implementation - Auth0 provide a number of ways for development teams to implement authentication into the front end of the application. The OAuth login page can be customized from within the Auth0 portal - HMTL, CSS and JS can be updated to present the required look and feel of the page - When creating the custom login page, using the custom login form template it will be possible to add an extra step to the register section to enable the account validation - The personID can be saved in the user_metadata JSON object, this can then be added as custom claims and used within the portal for selecting data - Custom domains can be put in please to keep the used with the web application domain - The documentation has 'quick start' guides and sample code for all front end frameworks, whether they are rendered client side or server side - Auth0 provide and maintain libraries which can be imported into the major back end frameworks. This is a real benefit as it will result in improved development times, better readability of code and ensures that connections are less prone to error as Auth0 development team provide regular updates which can be easily implemented. For example, the myHARCA portal could utilise the .NET version of this library for security related functionality. ## Okta ### Available Plans Okta has 2 pricing strands, other than the free developer account that offers only basic functionality. All other use cases must go through an Okta sales representitive for pricing. Below is only a snap shot of these levels, which can scale based on number of users - Workforce Identity Products - for organisation and staff logins - Single Sign-on - **$2 /mo per user (£1.45 GBP)** - <u>AD Integration</u> - 3rd party MFA integration - Desktop and mobile SSO (cloud & on-premises apps) - Multi-factor Authentication - **$3 /mo per user(£2.18 GBP)** - <u>2-Factor Authentication</u> - API Access Management - **$2 /mo per user (£1.45 GBP)** - Application and directory integrations - OAuth 2.0 and OIDC compliant - Customizable scopes and claims - Customizable authorization servers - Customer Identity Products - for customers, tenants and general user logins - Developer - **$0 /mo (£0 GBP)** - 15,000 users - Community support only - Extra option for higher level support $4,000 (£2,909 GBP) per month - 5 OIDC Clients - 3 SAML clients - Customizable sign-in and registration widget - Customizable email templates and domains **(only for paid accounts)** - One App - **Starting at $14,000 /y (£10,180 GBP)** - Tier based users, contact sales - 5 OIDC Clients - Full support - Customizable sign-in and registration widget - Customizable email templates and domains - Enterprise - **Starting at $36,000 /y (£26,177 GBP)** - Tier based users, contact sales - Unlimited OIDC Clients - Unlimited SAML Clients - Full support - Customizable sign-in and registration widget - Customizable email templates and domains - Addons - Directory Integration - **Starting at $21,000 /y (£15,270)** - <u>AD Integration</u> - API Access Management - Starting at $4,000 /y (£2,909 GBP), price scales up with number of tokens - <u>M2M authentication</u> - Multi-factor Authentication - **Starting at $7,000 /y (£5,090 GBP)** - SSO Integrations - **Starting at $1,500 /y (£10,907 GBP)** - Access to pre-built app integrations in the OIN To ascertain realistic estimates for Okta pricing, it is highly recommended to speak with a sales representative providing a detailed break down of requirements and projected user count for both staff access and tenant access. - API authentication - The development documentation is descriptive and in depth - There are a number of 'quick start' guides to get the developer up and running with Okta. It is straight forward and is available for all major coding languages and frameworks - For the myHARCA portal Okta SDK can be imported into the project and added as a provider in the startup class of the application to give endpoints access to to Authorize attributes using the JWT token. - The token will be checked against the provided domain to validate - In order to generate the access_token an assertion token must be generated first and passed to the /token endpoint. This must container information about the access_token and be signed with the client secret https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/create-sign-jwt/ - Portal backend implementation - **Within the portal this implementation would replace the current basic API authentication used between the Gateway API hosted on MW-01 (middleware server) and the portal** - **In all cases, as described above the authentication on the Gateway would need to be re-engineered in order to store the access token in local state and be reusable this would prevent the Okta API management scaling too high** - Front End implementation - The OAuth login page can be customized from within the Okta portal - HTML, CSS and JS can be updated to present the required look and feel of the page - When creating the custom login page, using the custom login form template it will be possible to add an extra step to the register section to enable the account validation - The personID can be saved in the user_metadata json object, this can then be added as custom claims and used within the portal for selecting data - Custom domains can be put in place to keep the user within the web application domain - The documentation has quick starts and sample code for all 3 of the major front-end frameworks as well as a standard JS implementation, the standard JS implementation would be required for the portal - Okta provide and maintain libraries to be imported into the major frameworks. This would improve development time, code readability and make the connections less error prone ## Final Considerations At a minimum, Poplar HARCA should be looking to migrate their authentication to Auth0 to replace the current authentication setup. Although the current setup is secure, Auth0 offers a much higher range of compliance certificates for all thier plans including the free tier. *"Auth0 carries a variety of compliance options including SOC 2, ISO27001, ISO27018, Gold CSA STAR, Data Residency needs and more."* **Okta** Although Okta has customer identities, it appears Okta is more focused around workforce authentication, which is aimed at staff / employee users, rather than customers/public users During developer R&D we were unable to customise the 'register' form on the OAuth page using the developer tier. We are unsure if this is locked behind a payment wall, or if this feature is not provided. For the myHARCA portal use case, this would be a requirement as the 'validate tenant' step must happen before the user is registered and the personID from this validation is stored in the account. During R&D, we were also unable to add meta data to the users on Okta. **Auth0** Based on the R&D carried out to date by both Poplar HARCA and Element3 with the Auth0 service, our recommendation would be to continue with Auth0 as the OAuth provider for the myHARCA portal and future micro sites. Please note that R&D to date has only been a high level exercise and a 'Proof of Concept' approach and methodology would be recommended to ascertain more detailed, solid recommendations. **Rationale:** - At first glace the pricing seems more complicated - M2M API authentication is simpler, with fewer steps - The potential ability to customise the 'login' and 'register' forms to cater for the tenant validation, however we suggest further R&D on this to validate **Considerations if chosen:** - B2B Professional only if AD Integration is 100% required and cannot be cut - B2C Professional has all other required functionality - In either case we recommend speaking with a sales rep **Phone System Integration** R&D to date has shown that connecting OAuth to Poplar Harca's 8x8 VOIP telephony systems would require the inclusion of a third party provider to facilitate integration. This component would require it's own R&D phase if considered essential for OAuth implementation.