I have a wso2 apim 3.2 setup up with wso2km 5.10. I have configured the Apim to pass Enduser attributes to the backend but cannot get the role claim returned. apim and the km manager are on separate machines. I seem to get just the standard claims returned. I have enable the required sections of the deployment.toml and I'm not seeing what I have wrong any help would be appreciated.
[apim.jwt]<br/>
enable = true<br/>
claim_dialect = "http://wso2.org/claims"<br/>
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
here it what is returned.
{<br/>
"http://wso2.org/claims/apiname": "xxxxxxxx",<br/>
"http://wso2.org/claims/applicationtier": "Unlimited",<br/>
"http://wso2.org/claims/version": "1.0.0",<br/>
"http://wso2.org/claims/keytype": "PRODUCTION",<br/>
"iss": "wso2.org/products/am",<br/>
"http://wso2.org/claims/applicationname": "xxxxxx",<br/>
"http://wso2.org/claims/enduser": "xxxxxx",<br/>
"http://wso2.org/claims/enduserTenantId": "-1234",<br/>
"http://wso2.org/claims/applicationUUId": "348d1ff9-06f5-4f3f-aa94-83f32f4a1f2a",<br/>
"http://wso2.org/claims/subscriber": "xxxxxxx",<br/>
"azp": "NjYtixQB4VbFLeunCrj1U1ZYcfga",<br/>
"http://wso2.org/claims/tier": "Unlimited",<br/>
"scope": "openid",<br/>
"exp": 1601500346,<br/>
"http://wso2.org/claims/applicationid": "8",<br/>
"http://wso2.org/claims/usertype": "Application_User",<br/>
"http://wso2.org/claims/apicontext": "/xxxxxxxxxxx"<br/>
}
{
"sub": "admin#carbon.super",
"aud": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"nbf": 1602022037,
"azp": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"scope": "am_application_scope default",
"iss": "https://xxxxxxxxxxxxxxxx",
"exp": 1602025637,
"iat": 1602022037,
"jti": "7845227d-6800-4ff2-9982-3d338e45abb6"
}
There are two ways to include user claims to the backend JWT
Implement custom token generator
Adding required claims to the JWT access token
Adding required claims to the JWT access token
With APIM 3.2.0 it supports only JWT access token for the new application it registers. To include any user claims to backend JWT, the required claims should be in the JWT access token since GW is responsible to generate backend JWT.
To include user claims to the JWT access token follow the below steps.
Identify the service provider for the application from the management console
Edit the service provide and configure requested claims under the Claim Configuration menu
Generate an access token with openid scope
curl -k -X POST https://localhost:8243/token -d
"grant_type=client_credentials&scope=openid" -H"Authorization: Basic
VEJEMXJZazZpSWVlaTlnVzRNTENBYXNEQW9JYTpkRnJ0bVJjaklqUUtkSVVYeVY4aWxlZjBQNWdh"
An access token will be issued with the requested claims
{
"sub": "admin#carbon.super",
"aud": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"nbf": 1602047260,
"azp": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"scope": "am_application_scope openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/apim_devportal",
"Application/admin_sample_PRODUCTION",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"Application/admin_key1_PRODUCTION",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1602050860,
"iat": 1602047260,
"jti": "d74a617e-e976-42f4-8323-c1c2271d046e"
}
Access an API with the above access token and backend JWT contains the required claims.
Related
I have used the AWS Cognito for the Authentication of my Web Application. The Authentication Provider is being the Intuit. The whole Authentication Part works fine and I'm being able to get the Access Token, ID Token & Refresh Token from the AWS Cognito after the Authorization from Intuit is successful. But, when the Access Token Obtained from the AWS Cognito is used as the Authorization Bearer Token with the Intuit API ( https://quickbooks.api.intuit.com/v3/company/**************/query?query=select%20*%20from%20CompanyInfo&minorversion=63 ), the error occurs. Below is the response I get (Screenshot Attached).
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<IntuitResponse time="2022-04-06T05:36:37.063-07:00" xmlns="http://schema.intuit.com/finance/v3">
<Fault type="AUTHENTICATION">
<Error code="3200">
<Message>message=AuthenticationFailed; errorCode=003200; statusCode=401</Message>
</Error>
</Fault>
</IntuitResponse>
I tried using the Intuit's Access Token Directly by getting it from the Intuit Playground and used it with the same API, which gives the successful expected response.
When the JWT Token obtained from the AWS Cognito is decoded with https://jwt.io/ , below is the decoded values of it ...
{
"sub": "<<HIDDEN FOR PRIVACY REASONS>>",
"cognito:groups": [
"Intuit-Users"
],
"token_use": "access",
"scope": "phone openid profile email",
"auth_time": 1649248040,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_jnCqrZ6om",
"exp": 1649334440,
"iat": 1649248040,
"version": 2,
"jti": "<<HIDDEN FOR PRIVACY REASONS>>",
"client_id": "<<HIDDEN FOR PRIVACY REASONS>>",
"username": "<<HIDDEN FOR PRIVACY REASONS>>"
}
https://i.stack.imgur.com/Cgi7I.png
As mentioned in https://developer.intuit.com/app/developer/qbo/docs/learn/scopes there is a scope of "com.intuit.quickbooks.accounting" which grants access to the QuickBooks Online Accounting API, which focuses on accounting data. As I can see in the above decoded Access Token Data, I cannot find the scope "com.intuit.quickbooks.accounting" in the scopes property. Can this be an issue? If so, how to add the scope for this in AWS Cognito? Or else what could be the issue? Can anyone provide a solution?
NOTE : The Ultimate Need is to make the Cognito Returned Access Token Authorized with Intuit to work with QuickBooks API.
I have a question related to AWS Cognito custom scopes. I followed an AWS article and enabled allowed custom scopes as mentioned in the screenshot. My problem is when I decode the accesstoken by jwt site, custom scopes are not included in the scope of the access token. Bellow I have attached a sample payload of a decorded access token for your reference. Is it possible to help me to add custom scopes to the access token generated by AWS Cognito?
"sub": "###",
"event_id": "###",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1647489023,
"iss": "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_###",
"exp": 1647492623,
"iat": 1647489023,
"jti": "###",
"client_id": "###",
"username": "test-user"
}
Update:
I am acccessing Cognito via ASP.Net SDK. I sent username and password of the user to Cognito and received tokens.
I am trying to fetch the data studio assets to manage the permissions based on that data through APIs.
I am using oAuth2 access token generated using the service account as I want to automate this process and not rely on user consent for authorization every time. oAuth2 authorization using service account
Steps I have followed:
Created service account in Google cloud and enabled Google Workspace Domain-wide Delegation
Delegating domain-wide authority to the service account through Google Workspace account
For the following scopes:
https://www.googleapis.com/auth/datastudio
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
openid
Created and signed JWT
Used JWT token to get the oAuth2 access token to make Datastudio API calls.
Using the following snippet to generate the signed JWT.
import jwt
import time
import json
import requests
iat = int(time.time())
exp = iat + 3600
claim_set = {"iss": "datastudio-manager#data-project.iam.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/datastudio https://www.googleapis.com/auth/datastudio.readonly https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
"aud": "https://oauth2.googleapis.com/token", "exp": exp, "iat": iat}
encoded = jwt.encode(claim_set, private_key, algorithm="RS256")
response = requests.post("https://oauth2.googleapis.com/token", params={
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": encoded
})
print(response.json()["access_token"])
Using token generated from above step to make API call.
curl -H "Authorization: Bearer <access_token>" https://datastudio.googleapis.com/v1/assets:search?assetTypes=report
Response of the above request is {} with status 200 and when I am trying to view permissions for a particular asset it is giving me the following response.
API endpoint: https://datastudio.googleapis.com/v1/assets/<asset_id>/permissions
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Is authentication using access token generated through the above oAuth2 method supported for Data studio APIs?
Any leads are much appreciated, thanks in advance!
I'm currently using the python-social-auth/social-core lib with a DJango app, which is configured (and working) to authenticate Wagtail CMS users with our (free) Azure Active Directory Tenant.
Our NFRs stipulate that authentication should occur using OpenID Connect and to this end we've installed "social-auth-core" with the "openidconnect" extra like this in requirements.txt:
...
social-auth-core[openidconnect]
social-auth-app-django
...
Again, things seem to work A-OK and users can login, but here's my problem - and I know I'm missing something here:
As far as I know, OpenID Connect is simply a modification/addition to OAuth2.0 that gives OAuth super powers of authentication - not just authorisation - but I don't know if my DJango+Wagtail app is now just automagically configured to "just work" as/with OpenID Connect, or whether there's some additional logic/validation/config/whatever that I need to apply to the app.
I don't see anything relevant in the official python-social-auth docs for Azure AD, and I don't see how/if I need to explicitly enable OpenID within Azure AD itself.
Can anyone help?
Thank you.
I dug into the OpenID Connect docs for Azure AD and two things I identified as being indicators of OpenID:
That state=openid is used in the MS /oauth2/authorize endpoint
That openid responses arrive back with an OpenID "id_token" key
Docs:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Authentication Response:
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1603915195",
"access_token": "*****",
"refresh_token": "*****",
"id_token": "*****",
"aud": "*****",
"iss": "https://sts.windows.net/*****-*****-*****-*****-*****/",
"iat": 1603911295,
"nbf": 1603911295,
"exp": 1603915195,
"amr": [
"pwd"
],
"family_name": "Joe",
"given_name": "Blow",
"ipaddr": "***.***.***.***",
"name": "Joe",
"oid": "*****-*****-*****-*****-*****",
"rh": "*****",
"sub": "*****",
"tid": "*****-*****-*****-*****-*****",
"unique_name": "joe#somedomain.onmicrosoft.com",
"upn": "joe#somedomain.onmicrosoft.com",
"uti": "*****",
"ver": "1.0"
}
how do I add user roles to JWT generated through OAuth2 Password Grant as described here:
I tried this approach but it adds custom claims only to JWT passed to backend but there is nothing in JWT used to authenticate clients.
What I'm trying to do is to add a login page to Angular application and call https://[APIM]/token to get token when successful authentication occurs. Roles are important to render correct menus based on user roles.
Thanks in advance,
You need to request the token with openid scope to retrieve the additional user information as claims of the JWT token. You can refer https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
For instance, if you want to get the user roles in the generated JWT, you can add the http://wso2.org/claims/role claim as a requested claim under Claim Configuration to the service provider you are using from the carbon console. Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
Then when you are invoking the token endpoint, you need to add the openid scope.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
The generated JWT token payload will be something like this,
{
"sub": "admin",
"aut": "APPLICATION_USER",
"aud": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"nbf": 1610395871,
"azp": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"scope": "openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/admin_DefaultApplication_PRODUCTION",
"Application/apim_devportal",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1610399471,
"iat": 1610395871,
"jti": "75ddfca2-5088-435d-825a-3320efc10036"
}
Hope this helped!