I need this feature in WSO2 Publisher or Devportal:
I have one api that need dynamic access token and Also I have another api with static Basic Authentication to provide that dynamic Access Token. Unfortunately I could not solve this with mediation. The policy is simple But I don't know whether WSO2 has this simple feature or not?
process: token api with basic Auth ==> provide dynamic access token ==> use access token in main api body and send.
Main API is our Endpoint in WSO2 API.
I could not solve this with Endpoint Security(Oauth2) and mediation(XML).
Version of WSO2-AM is 4.1.0 and this version is latest now.
Have you thought about using a vault, such as Hashicorp Vault, to fetch the the basic auth credentials.
From there use a custom sequence [2] that gets the token (step 1 in your diagram) and then get the token check results you need (step 2).
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/mi-setup/security/using-hashicorp-secrets/
[2] https://apim.docs.wso2.com/en/latest/reference/mediators/sequence-mediator/
Related
I read about JWT and i think i understand how it works, but when things come to ballerina examples i don't understand anything:
How do i set the algorithm which i want to use along with JWT and the expiration time?
How do i use a custom private key?
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
I'm absolutely new to security and ballerina also. Can anybody help please?
Ballerina JWT module [1] provides following functionalities.
Issue a JWT
You can issue/generate a JWT by providing jwt:JwtIssuerConfig. You can configure username, issuer, audience, expiration time, signing algorithm, custom claims and configuration for signature (key-store config). Please refer to API docs of jwt:JwtIssuerConfig [2]. Example code can be found at [3].
Validate a JWT
You can validate a JWT by providing jwt:JwtValidatorConfig. You can configure expected issuer, expected audience, clock skew, cache configuratons and configurations for validating signature (trust-store config). Please refer to API docs of jwt: JwtValidatorConfig [4]. Example code can be found at [3].
Secure a service with JWT
You can use JWT to secure and HTTP service. The Authorization header of the inbound HTTP request will get validated and authenticated according to the provided configurations. Please refer to API docs of jwt:InboundJwtAuthProvider [5]. Example code can be found at [6].
Calling to a service with JWT
You can use JWT to call to an external server which is authenticated with JWT. The outbound HTTP request is prepared with the Authorization header according the provided configurations. Please refer to API docs of jwt:OutboundJwtAuthProvider [7]. Example code can be found at [8].
Answers for the questions:
How do i set the algorithm which i want to use along with JWT and the expiration time?
You can configure jwt:JwtIssuerConfig [2] as described above.
How do i use a custom private key?
You can configure the jwt:JwtKeyStoreConfig field of jwt:JwtIssuerConfig [2], with your custom private key.
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
This is a sample service which is secured with JWT. The token used to invoke this service is provided at the bottom of the sample. How to invoke this service with CURL is also provided.
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
All of the above samples, does not need any database or file store. All the configurations are provided in the code itself. If there is any requirement to retrieve data from database, that is also possible.
References:
1 https://ballerina.io/learn/api-docs/ballerina/jwt/index.html
2 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtIssuerConfig.html
3 https://ballerina.io/learn/by-example/jwt-issue-validate.html
4 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtValidatorConfig.html
5 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/InboundJwtAuthProvider.html
6 https://ballerina.io/learn/by-example/secured-service-with-jwt-auth.html
7 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/OutboundJwtAuthProvider.html
8 https://ballerina.io/learn/by-example/secured-client-with-jwt-auth.html
I am fairly new to wso2is.
I added an SP with oauth/oidc and got the client credentials.
But when I call the token endpoint to generate an access token (client_credentials flow), I get a guid/reference token. How do I get a self-contained JWT?
Also, the discovery endpoint and introspection not available in 5.2.0?
TIA.
As of now there are is no out of the box solution to get self-contained JWT as an access token from WSO2 Identity Server. However, we have an extension point[1] to write one to suit your requirements.
If I give you the steps in short,
Write an accessToken issuer class implementing this interface. Instead of the GUID, you return the signed JWT.
Create jar and add it to IS_HOME/repository/components/dropins
Add the fully qualified classname to IS_HOME/repository/conf/identity/identity.xml by adding a <IdentityOAuthTokenGenerator> tag under <OAuth> section.
Check out the default accessTokenIssuer code to get an idea[2]. Discovery endpoint and Introspection endpoint have been added in IS 5.3.0. Try out the alpha version from [3]
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuer.java#L25-L25
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuerImpl.java
[3] https://github.com/wso2/product-is/releases/download/v5.3.0-alpha/wso2is-5.3.0-alpha.zip
Update
Follow this blog post https://medium.com/#hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6#.s0q3xt6od to get your use case done :)
I am new to WSO2 Identity Server(4.6). I have a use case, where I have a rest service on ESB (WSO2 ESB 4.9). And I would like to give resource level access to various users.
I thought of using WSO2 identity server for authorizing the user and using the token for accessing the rest service. I was going through the playground example, but that is not something I would like to do, where the Authorize service opens the Identity Server Authorization Service. It seems to be sequential, and assumes that the user/resource owner are the same.
I would like to do all that programatically, and just give the aothorization code to the user, and let him call the token service to get the token. Is this possible?
Thank you
You can use the https://localhost:8243/token endpoint for your use case. You can refer to below links for more information
https://docs.wso2.com/display/IS500/OAuth+Token+Revocation+with+WSO2+Identity+Server
https://docs.wso2.com/display/AM190/Token+API
I have the two applications that both support SAML2 SSO using WSO2 Identity Server. During application bootstrap (when still no user request is processed) i need one of the applications to get information from the other using REST call. However this REST call should provide a SAML token for security purposes. I need a way to remotely get SAML2 token and use it for REST calls. I have read a post about rest sts client without esb however i can't find a sample code on how to get a SAML token for my REST calls. What is the way to obtain such SAML token? Is there sample source code?
You can follow this blog [1] get passive STS sample. But if you are using WSO2 Identity server 5.0 user interface bit different than in this blog.
[1] http://dulanja.blogspot.com/2013/09/passive-sts-java-sample-with-wso2.html
I'm considering securing a whole Java EE software platform with OpenAM (prev. Sun OpenSSO). Applications - running on WebLogic AS - would be secured by a JEE Policy Agent and web services with WS-Security SAML Token Profile.
As of my understanding, the SSOTokenManager enables application code to retrieve OpenAM's SSO token. But in order to invoke the SAML protected Web Services, I need to obtain a SAML Assertion from OpenAM. Can anybody tell me how to do so ?
Also, in the Web Service code, I may need to get back a SSO Token from a SAML assertion. Is that possible ?
You should be able to achieve both conversions using OpenSSO's Security Token Service. There is a tutorial for configuring it.
The SSOToken is an internal OpenAM representation of a users session, whilst a SAML token is an asserted identity with associated information. As such, these are not directly translatable in the way you describe.
In order to obtain a SAML token for use in your web service call, you should look at the STS functionality in OpenAM. The is a standardised service that will authenticate users and then make an assertion about the identity and authentication of the user, represented by a SAML token. This token is then returned to the calling entity (the web service client) who can include this token as per the relevant WS-* standards.
You may also want to look at the OpenAM wss provider or the Metro/WSIT library to assist implementation on the client side.