In Enterprise integrator (WSO2) server, How should I know, which application send me the requests?
I need to have application "username" and send the username in body to Endpoint.
There are different ways to identify the client calling a service.
By looking at the user agent Header.
By looking at the Origin IP.
Make the user add a unique identifier to the request.
If an Auth header is sent by the client, by looking at the Auth information(e.g: If an OAuth token is sent you can do an introspect call to the Token server to get user details etc.)
Related
There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2
I have the MultiTenant web application that internally using different services and Restapi Service and login purpose username and password validation using WSO2IS and LDAP.LDAP is configured with WSO2IS UserStore.So when customer login into web application right now implemented like checking username and password is present in LDAP directory or not. Based on the LDAP directory response logging into the application.
Now I want to implement token-based authentication when client login into the application by using he/she tenant user credential, get the token from WSO2IS server, send token at the client side. So that while calling any service or RestApi call with using that token. If after time limit if it expire than regenerate the token And when the request to any service and Rest API validate token is valid or not. So if the valid token then only backend service send response otherwise send failure response.
I am stuck in the correct approach. I need exact approach for successfully implement authorization identity management service with WSO2 to handle access token for user validation and to validate Rest Service.
You can use OpenID Connect (OIDC) [1] in order to achieve your requirement.
OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
You can use WSO2 IS and integrate your client application with OIDC [2][3] and get an access token on behalf of the user to communicate with external APIs.
Also you can use the OAuth Introspection endpoint [4] of the WSO2 IS in order to validate the access tokens as for your requirements.
[1] https://openid.net/connect
[2] https://docs.wso2.com/display/IS570/OpenID+Connect
[3] https://docs.wso2.com/display/IS570/OpenID+Connect+Authentication
[4] https://docs.wso2.com/display/IS570/Invoke+the+OAuth+Introspection+Endpoint
I have web application which structure is as-
webapi : django web services [NOT REST] no security implemented
frontend : Angular2. authentication implemented via SAML
Database : Mongodb
Can you please suggest best way to secure webapi, as currently anyone can access web services who has server[api] url
It will be big help if you suggest the authentication and authorization flow because I am totally stuck.
Thanks in advance.
Implement an /authentication on your API which accepts Basic authentication. Make sure you do that over HTTPS. Username and password will be collected by your Angular app and sent back to /authentication. If the user authenticates, return a session token, for example JWT (check pyjwt).
All the following communications between the front and back should contain the token, which is issued only if the user authenticated. The token is inclued in the request headers and specifically in Authororization header using the Bearer schema:
Authorization: Bearer <token>
A JWT contains the username so you can use that on each future request. Furthermore, you are not required to keep record of the issued JWT since each one is self-contained and can have predetermined expiration data.
I have two servers.
Server A - this is whole bussines logic and API for mobile application.
Server B - in simply words, this is a webpage.
And now, I need to authenticate user on B but, by the 'user-data' from A.
E.G.
On A server I have user with loggin/password. And I need to use this same login/password on B server. There is some nice solution for that? Or just use tokens?
Presumed that you have an authentication mechanism in your server A.
You have to use your server A as an Identity provider. Request to your B-server should have a session header. If this session is not valid in B-server then you have to ask for credential from the web user and forward this request to your Identity Provider(Server-A). If Server-A can identify the given credential, initiate a session in server-B for this user for a particular time frame. You have to manage this session in the Server-B.
When this user logged out from server-B just destroy the session.
tokens should be fine such as a bearer token on the Authorization header. There are different strategies such as opaque tokens vs JWTs, etc.
I actually did a write up on API authentication tutorial and security holes:
https://www.moesif.com/blog/technical/restful-apis/Authorization-on-RESTful-APIs/
I am now developing web service, but i want person who are authenticated have the right to use the web service. Now I have two methods, one is use username and password in every service, the other is first use username and password to login and get token, then visit other services just by token. Now I want to know which is better? Suppose I use https, it is secure to pass username and password. But my mentor told usually we use token. So can any compare these two methods detaily from security,performance or any other aspects?Thanks very much!
If you are using SOAP, you can implement soap header authentication.
Or Basic in http header
Implement the system in the following way.
The User should send an Encrypted Format password and UserID in the first request.
The Password authentication logic can be unique to you but make sure that the password is not exposed in the SOAP message as plain text.
Next at your service side, implement a service handler which maintains a list of authenticated IP addresses.
Whenever a new IP address tries to contact your service, you validate its credentials and then if authenticated, you add the IP to your safe IP List.
In case the Authentication fails you reject the request.
In case of Multiple services, implement a common Service Handler for the same. and keep the IP list as a static variable.
Other than this You can look into Web Service Security:
Oracle Doc
Wiki Page
and so on...