I'm currently using the python-social-auth/social-core lib with a DJango app, which is configured (and working) to authenticate Wagtail CMS users with our (free) Azure Active Directory Tenant.
Our NFRs stipulate that authentication should occur using OpenID Connect and to this end we've installed "social-auth-core" with the "openidconnect" extra like this in requirements.txt:
...
social-auth-core[openidconnect]
social-auth-app-django
...
Again, things seem to work A-OK and users can login, but here's my problem - and I know I'm missing something here:
As far as I know, OpenID Connect is simply a modification/addition to OAuth2.0 that gives OAuth super powers of authentication - not just authorisation - but I don't know if my DJango+Wagtail app is now just automagically configured to "just work" as/with OpenID Connect, or whether there's some additional logic/validation/config/whatever that I need to apply to the app.
I don't see anything relevant in the official python-social-auth docs for Azure AD, and I don't see how/if I need to explicitly enable OpenID within Azure AD itself.
Can anyone help?
Thank you.
I dug into the OpenID Connect docs for Azure AD and two things I identified as being indicators of OpenID:
That state=openid is used in the MS /oauth2/authorize endpoint
That openid responses arrive back with an OpenID "id_token" key
Docs:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Authentication Response:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1603915195",
"access_token": "*****",
"refresh_token": "*****",
"id_token": "*****",
"aud": "*****",
"iss": "https://sts.windows.net/*****-*****-*****-*****-*****/",
"iat": 1603911295,
"nbf": 1603911295,
"exp": 1603915195,
"amr": [
"pwd"
],
"family_name": "Joe",
"given_name": "Blow",
"ipaddr": "***.***.***.***",
"name": "Joe",
"oid": "*****-*****-*****-*****-*****",
"rh": "*****",
"sub": "*****",
"tid": "*****-*****-*****-*****-*****",
"unique_name": "joe#somedomain.onmicrosoft.com",
"upn": "joe#somedomain.onmicrosoft.com",
"uti": "*****",
"ver": "1.0"
}
Related
I am using React Native + Expo to do Social Sign in Via. Cognito.
Everything is configured correctly, I know this because it worked, and after no change, it stopped working prompting an error.
I find it intresting because when I am in Cognito and I click 'launch hosted UI', it still works, but using my app displays the following error:
My aws-exports.js looks like (cut only important info):
"oauth": {
"domain": "upliftXXXXXXXX.us-west-2.amazoncognito.com",
"scope": [
"phone",
"email",
"openid",
"profile",
"aws.cognito.signin.user.admin"
],
"redirectSignIn": "exp://127.0.0.1:19000/--/",
"redirectSignOut": "exp://127.0.0.1:19000/--/",
"responseType": "code"
},
and my cognito setup is:
also, i am using basic sign-up/sign-in calls, all followed by https://docs.amplify.aws/lib/auth/social/q/platform/react-native/#setup-frontend
yesterday I saw that Gitlab has enabled OIDC JWT tokens for jobs on ci/cd. I know that CI_JOB_JWT_V2 is marked as an alpha feature.
I was trying to use it with Workflow Identity Federation(WIF) on Gitlab runner with gcloud cli but I'm getting an error. When tried to do it through STS API I'm getting the same error. What am I missing?
{
"error": "invalid_grant",
"error_description": "The audience in ID Token [https://gitlab.com] does not match the expected audience."
}
My Gitlab JWT token after decoding looks mostly like that (ofc without details)
{
"namespace_id": "1111111111",
"namespace_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz",
"project_id": "<project_id>",
"project_path": "xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service",
"user_id": "<user_id>",
"user_login": "<username>",
"user_email": "<user_email>",
"pipeline_id": "456971569",
"pipeline_source": "push",
"job_id": "2019605390",
"ref": "develop",
"ref_type": "branch",
"ref_protected": "true",
"environment": "develop",
"environment_protected": "false",
"jti": "<jti>",
"iss": "https://gitlab.com",
"iat": <number>,
"nbf": <number>,
"exp": <number>,
"sub": "project_path:xxxxxxx/yyyyyyyy/zzzzzzzzzzz/hf_service:ref_type:branch:ref:develop",
"aud": "https://gitlab.com"
}
In GCP console I have WIF pool with one provider set to OIDC named gitlab and issuer url from https://gitlab.com/.well-known/openid-configuration.
I have tried to give Service Account access to whole pool but no difference. Config created for this SA looks like below
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<projectnumber>/locations/global/workloadIdentityPools/<poolname>/providers/gitlab",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/gitlab-deployer#<projectid>.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "gitlab_token",
"format": {
"type": "text"
}
}
}
By default, workload identity federation expects the aud claim to contain the URL of the workload identity pool provider. This URL looks like this:
https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
But your token seems to use https://gitlab.com as audience.
Either reconfigure GitHub to use the workload identity pool provider URL as audience, or reconfigure the pool to use a custom audience by running
gcloud iam workload-identity-pools providers update-oidc ... \
--allowed-audiences=https://gitlab.com
I have a wso2 apim 3.2 setup up with wso2km 5.10. I have configured the Apim to pass Enduser attributes to the backend but cannot get the role claim returned. apim and the km manager are on separate machines. I seem to get just the standard claims returned. I have enable the required sections of the deployment.toml and I'm not seeing what I have wrong any help would be appreciated.
[apim.jwt]<br/>
enable = true<br/>
claim_dialect = "http://wso2.org/claims"<br/>
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
here it what is returned.
{<br/>
"http://wso2.org/claims/apiname": "xxxxxxxx",<br/>
"http://wso2.org/claims/applicationtier": "Unlimited",<br/>
"http://wso2.org/claims/version": "1.0.0",<br/>
"http://wso2.org/claims/keytype": "PRODUCTION",<br/>
"iss": "wso2.org/products/am",<br/>
"http://wso2.org/claims/applicationname": "xxxxxx",<br/>
"http://wso2.org/claims/enduser": "xxxxxx",<br/>
"http://wso2.org/claims/enduserTenantId": "-1234",<br/>
"http://wso2.org/claims/applicationUUId": "348d1ff9-06f5-4f3f-aa94-83f32f4a1f2a",<br/>
"http://wso2.org/claims/subscriber": "xxxxxxx",<br/>
"azp": "NjYtixQB4VbFLeunCrj1U1ZYcfga",<br/>
"http://wso2.org/claims/tier": "Unlimited",<br/>
"scope": "openid",<br/>
"exp": 1601500346,<br/>
"http://wso2.org/claims/applicationid": "8",<br/>
"http://wso2.org/claims/usertype": "Application_User",<br/>
"http://wso2.org/claims/apicontext": "/xxxxxxxxxxx"<br/>
}
{
"sub": "admin#carbon.super",
"aud": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"nbf": 1602022037,
"azp": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"scope": "am_application_scope default",
"iss": "https://xxxxxxxxxxxxxxxx",
"exp": 1602025637,
"iat": 1602022037,
"jti": "7845227d-6800-4ff2-9982-3d338e45abb6"
}
There are two ways to include user claims to the backend JWT
Implement custom token generator
Adding required claims to the JWT access token
Adding required claims to the JWT access token
With APIM 3.2.0 it supports only JWT access token for the new application it registers. To include any user claims to backend JWT, the required claims should be in the JWT access token since GW is responsible to generate backend JWT.
To include user claims to the JWT access token follow the below steps.
Identify the service provider for the application from the management console
Edit the service provide and configure requested claims under the Claim Configuration menu
Generate an access token with openid scope
curl -k -X POST https://localhost:8243/token -d
"grant_type=client_credentials&scope=openid" -H"Authorization: Basic
VEJEMXJZazZpSWVlaTlnVzRNTENBYXNEQW9JYTpkRnJ0bVJjaklqUUtkSVVYeVY4aWxlZjBQNWdh"
An access token will be issued with the requested claims
{
"sub": "admin#carbon.super",
"aud": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"nbf": 1602047260,
"azp": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"scope": "am_application_scope openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/apim_devportal",
"Application/admin_sample_PRODUCTION",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"Application/admin_key1_PRODUCTION",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1602050860,
"iat": 1602047260,
"jti": "d74a617e-e976-42f4-8323-c1c2271d046e"
}
Access an API with the above access token and backend JWT contains the required claims.
how do I add user roles to JWT generated through OAuth2 Password Grant as described here:
I tried this approach but it adds custom claims only to JWT passed to backend but there is nothing in JWT used to authenticate clients.
What I'm trying to do is to add a login page to Angular application and call https://[APIM]/token to get token when successful authentication occurs. Roles are important to render correct menus based on user roles.
Thanks in advance,
You need to request the token with openid scope to retrieve the additional user information as claims of the JWT token. You can refer https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
For instance, if you want to get the user roles in the generated JWT, you can add the http://wso2.org/claims/role claim as a requested claim under Claim Configuration to the service provider you are using from the carbon console. Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
Then when you are invoking the token endpoint, you need to add the openid scope.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
The generated JWT token payload will be something like this,
{
"sub": "admin",
"aut": "APPLICATION_USER",
"aud": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"nbf": 1610395871,
"azp": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"scope": "openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/admin_DefaultApplication_PRODUCTION",
"Application/apim_devportal",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1610399471,
"iat": 1610395871,
"jti": "75ddfca2-5088-435d-825a-3320efc10036"
}
Hope this helped!
I have application that communicate with WSO2AM 2.1.0 using their Restful API.
Right now I'm working on the application subscription part, I need to create a feature that able to refresh accessToken, it's the keys[0].token.accessToken from json below.
GET https://localhost:9443/api/am/store/v0.11/applications/896658a0-b4ee-4535-bbfa-806c894a4015
Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8
HTTP/1.1 200 OK
Content-Type: application/json
{
"groupId": "",
"callbackUrl": null,
"subscriber": "admin",
"throttlingTier": "Unlimited",
"applicationId": "896658a0-b4ee-4535-bbfa-806c894a4015",
"description": null,
"status": "APPROVED",
"name": "DefaultApplication",
"keys": [ {
"consumerKey": "AVoREWiB16kY_GTIzscl40GYYZQa",
"consumerSecret": "KXQxmS8W3xDvvJH4AfR6xrhKIeIa",
"keyState": "COMPLETED",
"keyType": "PRODUCTION",
"supportedGrantTypes": null,
"token": {
"validityTime": 3600,
"accessToken": "3887da6d111f0429c6dff47a46e87209",
"tokenScopes": [
"am_application_scope",
"default"
]
}
}]
}
I ended up reading this documentation https://docs.wso2.com/display/AM210/Token+API and I think that is not the documentation I'm searching for. The token API there is used to refresh the access token to the WSO2, not for refreshing the application subscribtion token.
Is there any way to do this?
Store API uses client-credential grant type to generate an access token. That is why you don't get the refresh token in the response. You can do the following.
Used the API - https://docs.wso2.com/display/AM210/apidocs/store/
Create an application in APIM Store. (/applications)
Get consumerKey and consumer secret of the application by generating the keys. (/applications/generate-keys)
Use the password grant type and generate a token. https://docs.wso2.com/display/AM210/Password+Grant