I want to configure a Spring Boot service as OpenID Connect identity provider in AWS Cognito for authentication and authorization.
Previously, on my local system I was using keycloak instead of AWS Cognito. In order to run my service on https protocol, I created a self-signed certificate on my local system. Also in order to configure this service as OpenID Connect identity provider in AWS Cognito, it is also necessary to run this service on https protocol. When i was running the auth service locally on my system with keycloak, I also had to add this certificate in the keycloak truststore. My code can be seen below that I have written in order to deploy keycloak on the docker.
keycloak:
container_name: "key-server"
environment:
KEYCLOAK_ADMIN: "admin"
KEYCLOAK_ADMIN_PASSWORD: "pondelok"
PROXY_ADDRESS_FORWARDING: "true"
image: "quay.io/keycloak/keycloak:17.0.1"
ports:
- "9380:9380"
extra_hosts:
- "auth-server:host-gateway"
restart: unless-stopped
volumes:
- "../keycloak/providers:/opt/keycloak/providers"
- "../keycloak/realms_local:/tmp/import"
- "../keycloak/keystore:/home"
command:
[
'start-dev --auto-build',
'--http-enabled=true',
'--http-port=9380',
'--spi-truststore-file-file=/home/oceankeystore.jks',
'--spi-truststore-file-password=password',
'--spi-truststore-file-hostname-verification-policy=ANY',
'-Dkeycloak.migration.action=import',
'-Dkeycloak.migration.provider=dir',
'-Dkeycloak.migration.dir=/tmp/import',
'-Dkeycloak.migration.strategy=OVERWRITE_EXISTING',
'-Dkeycloak.profile.feature.upload_scripts=enabled',
'--log-level=DEBUG,io.quarkus:INFO,liquibase:INFO,org.hibernate:INFO,org.infinispan:INFO,org.keycloak.services.scheduled:INFO,org.keycloak.transaction:INFO,io.netty.buffer.PoolThreadCache:INFO,org.keycloak.models.sessions.infinispan:INFO'
]
Now I want to deploy my application on AWS. I am replacing keycloak with AWS Cognito. Now my question is that how I can add the self-signed certificate that I created on my local system in AWS Cognito so that successful connection can be established between AWS Cognito and my auth service which is acting as OpenID Connect identity provider. I am unable to figure this out. I am unable to find out where in AWS Cognito, I can add my self-signed certificate. Can anyone guide me.
Your "auth service" deployed on AWS should use a certificate with trusted authority (not a self-signed one). Have a look at solutions like Let's Encrypt or AWS Certificate Manager.
Related
WSO2 APIM is not invoking backend when hostname is changed.
My APIM server is in AWS running in a docker container. Backend is in Azure App service. When I configure API gateway with localhost in AWS EC2 instance, the published API in gateway is able to invoke backend and fetch data without any issue.
When I do the following changes and try out the same API from AWS, it gives 400 response error without anything in logs
change the host name in deployment.toml and the required gateway urls
create new keystore for SSL communication using CA signed certificate and import it in client-truststore
change the secondary keystore to the new one
Build and run the docker with modified keystores and deployment.toml
Created an image using the dockerfile mentioned in https://github.com/wso2/docker-apim.git under dockerfiles/ubuntu/apim and then performed required changes in deployment.toml and Dockerfile
The API is working fine using curl and from postman. It is giving 400 error only when invoked from Publisher/Devportal UI
I am setting up AWS ALB to authenticate using OIDC.
I am getting the below response: error=redirect_uri_mismatch&error_description=redirect_uri%20must%20match%20configuration
How should this be handled.
And for AWS ALB be able to authenticate is there anything special to be done in SFDC side
having WSO2AM 2.1.0 in distributed setup (KM, GW, TM deployed and scaled separately) we'd like to enable SAML SSO for application users with an external SAML IdP.
Main question is - what is the SAML ACS url for the APIM as SP in this setup?
By default (it's working) the ACS URL is https://host:9443/commonauth , however as far I understood the client should have access only to the Gateway services (port 8243). On the port 8243 there are even all OAuth services exposed too.
So - do we need to expose a route / ports to 9443 (gateway to key manager)?
Thank you for any insight
question is bit unclear. We can setup SSO for publisher and store applications only. There is no connection with the gateway when configuring this. see https://docs.wso2.com/display/AM2xx/Configuring+Identity+Server+as+IDP+for+SSO . Since API Publisher or store acts as the SP, We set ACS url for publisher as https://localhost:9443/publisher/jagg/jaggery_acs.jag and for store as https://localhost:9443/store/jagg/jaggery_acs.jag
Gateway is there to accept the API requests. so only 8243 and 8280 are needed to exposed to public. but gateway needs to talk to keymanager (to validate tokens) so there needs to be a connection between gateway and keymanager.
I have a web app on AWS using CloudFront, an Elastic Load Balancer, and an EC2 host.
I am attempting to place 'Basic Access Authentication' on it to give it simple password protection.
Do any of these AWS services provide this?
I notice that S3 has documentation on requiring the http authentication header, but I don't notice such documentation for the CloudFront, ELB, or EC2 services my app uses.
How can I setup Basic Access Authentication for my app?
It's fairly simple.
Just set up HTTP authentication on your webserver level.
You can follow this if You're using Nginx: https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-ubuntu-14-04
And for Apache: https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04
Let me know if this helps.
What are the debug options available at the WSO2 Identity server to trace the Identity Federation (outbound) using OpenID protocol? Are there parameters available at the log4j.properties, or service configurations that enables tracing under WSO2 Rel 5.1?
Even when the Identity Provider is configured to run with a federated lookup connecting to a remote Idp, the server is only validating locally registered accounts. Having a debug trace feature inside the server would be helpful to track the message routing and flow.
Configuration Details for Outbound Identity Federation:
Identity Provider Name: extbasicws01_openid
Display Name: extbasicws01_openid
Description: OpenID real for SSO
Federated Authenticators - OpenID Configuration
Federation Hub Identity Provider: checked
Home Realm Identifier: travelocity.com
Certificate: Public key PEM downloaded from central IdP
Alias (default URL):
Enabled OpenID - checked
Default - Specifies if OpenD is the default
OpenID server URL: central IDP URL
User ID found in 'claimed_id' - checked
Additional Query Parameters - blank
Any update on this topic? Still watching for a trace option to better track the federated mode in outbound connections, specially when using the OpenID standard. Currently testing with the Travelocity.com client and openid login. Local authentication with WSO2 Identities are answering, but outbound authentications are not sending a redirect to the external IdP. Any hints how to update the WSO2 Identity provider configuration to activate the federated mode with OpenID?
You can add the following in the {IS_HOME}/repository/conf/log4j.properties file to enable debug logs for OpenID.
log4j.logger.org.wso2.carbon.identity.application.authenticator.openid=DEBUG