In examples cited in this post the flow is through an app that authenticates and issues access token. What I am trying to do now is to get token via https://localhost:9443/oauth2/token endpoint and be able to execute local authenticator (LA) during authentication process. However, upon executing of the endpoint I don't see my LA being called. I see it being active in OSGi console. Does local authenticator works only with a web application?
We cannot use the custom local authenticators to authenticate the rest API, but you can achieve the same by writing a custom grant type[1]. You can pass the attributes to verify against the users as parameters
[1]https://is.docs.wso2.com/en/latest/learn/writing-a-custom-oauth-2.0-grant-type/#writing-a-custom-oauth-20-grant-type
Related
How can use WSO2 (5.11) IS to generate JWT with information stored on server that is not WSO2 that is used for autnetication? My use case is to login user via WSO2 IS, but the actual authentication will happen on a different server, not WSO2. In turn this server upon authenticating the user, will call WSO2 to generate JWT with custom data that it sends. If I understand this post correctly, I need to create local authenticator, is this the approach I should take in my use case?
Moreover, if this approach is possible, will I be able to use WSO2 SSO to allow user to access applications on remote server, or is WSO2 SSO strictly for applications running on WSO2 server itself?
Since you need to connect to some external store using REST API, you can write some custom local authenticators and deploy into Identity servicer. You can implement the custom local authenticator to call your store using some REST API and authenticate the user.
[1]https://is.docs.wso2.com/en/5.9.0/develop/writing-a-custom-local-authenticator/
[2]https://github.com/vihanga-liyanage/samples-is-1/tree/master/custom-local-authenticator
[3]https://everything1know.wordpress.com/2019/09/17/wso2-is-custom-local-authenticator/
I have my web application. Now i want to integrate salesforce into my web app so that i can push data from my app to any salesforce org after the authentication(OAuth).
I found 2 ways:
1. Connected Apps
2. via wsdl generation file and use
I created a connected app from my developer account and i authenticated using consumer key, cusumer secret key(from my connected app) and username of user and secret token of the user account.
I tried with another free trail account, It's validating and fetching the details and post data also working.
My question is, shall i deploy my connected app into app exchange, then only i caan use REST APIs ?
generating wsdl and coding around is the better option than the above ?
Is there a option, only one time authentication enough for any number of sessions and use the REST APIs?
Please suggest me a best way to proceed.
You're mixing up a couple of independent issues here.
If you're going to authenticate via OAuth, you must have a Connected App.
A SOAP API login() call requires you to store a username and password, which is undesirable.
There is no way to "permanently" authenticate, i.e., to get a session id that never expires. Your app must always be ready to get a new access token via the OAuth refresh token it obtains and stores (via, for example, the Web Server OAuth flow), or to reauthenticate via JWT flow.
Connected Apps are global metadata in most cases. You don't need to deploy a Connected App into a target org in order to authenticate using its Client Id and Secret into that org. The only exception I'm aware of is if you want to use the JWT flow with a certificate and preauthorized Profiles and Permission Sets.
Based on what you've shared, I don't see any reason for the AppExchange to be involved.
I have the following setup on the same machine:
WSO2-AM
WSO2-IM-KM (Identity manager as key manager)
The identity manager federates authentication to an external OpenID identity provider.
What I've done so far:
Share the databases between the two components
Make WSO2-AM delegate the authentication to WSO2-IM-KM
Configure the external provider to the generated service provider (generated in WSO2-IM-KM when creating an application in WSO2-AM store)
The current behavior:
I can obtain an authorization code by calling the following URL : https://my.site:9444/oauth2/authorize?response_type=code&client_id=pkYcC4xFQ1jt6dQbdZAe6savv4oa&scope=phone+email+address+openid+profile&redirect_uri=https://my.site:9443/store/jagg/jaggery_oidc_acs.jag&nonce=3734e7d4c22f1&state=128d20e14c884, the authentication succeeds, then the jaggery_oidc_acs.jag endpoint fails
Since the jaggery_oidc_acs.jag endpoint fails, I manually retrieve the code then POST it to https://my.site:8243/token which returns me an access_token, a refresh_token, and an id_token
My problems :
How am I supposed to automate the manual step I described before? Am I in charge of creating a dedicated endpoint to do it, in order to keep the authorization_code obfuscated from the client, or is there a built-in endpoint in WSO2? If appropriate, what is this endpoint?
Is there an endpoint that generates the oauth2/authorize URL?
After further research:
I have found the following document https://docs.wso2.com/display/IS540/Authorization+Code+Grant that seems to indicate that I need a "client", but I don't have one, I just need my API to be authenticated with the external identity provider.
Answering to problem 01
If you want to use authorization code grant type to get access token definitely there should be a callback URL to get authorization code. If your callback URL is real no need to do any manual step, simply just retrieve authorization code from request query parameters sent to callback URL. You can check this behavior from playground2 sample application [1] where callback URL is http://localhost:8080/playground2/oauth2client.
Answering to problem 02
Please check OAuth2AuthzEPUrl tag in identity.xml
[1] https://docs.wso2.com/display/IS570/Setting+Up+the+Sample+Webapp
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
I have a Django application that currently stores user credentials and performs authorization and authentication. I am in the process of breaking off the front-end into an Angular SPA and converting the backend to a REST API. My Django API will live as an Azure API app protected by Azure API Gateway. I would like to remove the authentication piece from Django and allow users to sign in using OpenID Connect through either Google or Microsoft Account. What I would like to happen is this:
When a user visits the site, assuming they have never registered with my app, they will have the option to sign in with their Google account or Microsoft Account. If the user decides to sign in using their Google or Microsoft account, (this is where I'm confused and why i'm posting here ... ) I think what happens is the API Gateway performs the authentication, generates a JSON Web Token (JWT), and sends that token back to the Django API. Django receives the JWT, decrypts it, and checks to see if there is a user account matching the email address in the JWT. If there is not a user account, Django will add a user to the user accounts table (not storing a password). If there is a user matching that email address, then Django allows the user in.
All that said, I guess my question(s) are:
Should I do the authentication at the API Management Gateway or should I do it at the Azure Web API?
Can I use Django's built-in authentication system to do what I want or is that not needed?
Am I over-complicating all of this? Is there an easier way to do this? All this seems like a lot of work.
Is OpenID Connect what I should be using (instead of Oauth2)? I have no experience with either.
Azure API Management does not actually provide any kind of JWT issuing mechanism, so you'll have to implement that yourself. The end points for doing that may or may not be exposed via API management.
What possibly gets you confused is the fact that the APIm Portal supports various indentity providers, like Twitter or Google, to sign up for the API. But these are not your application users, these are for the API Portal Users.
What you can do with the APIm Gateway is to validate subsequent calls to your backend API that the supplied JWT token is valid (using the <validate-jwt> policy).