I need to perform the token-exchange process between apis calls passing through WSO2 APIM, something like the scenario below:
User -> client app -> WSO2 APIM -> JWT Sent to -> Microservice 1
Next, Microservice 1 needs to propagate the authenticated user's JWT to another service that it depends on (Microservice 2),:
Microservice 1 -> JWT Token Exchange (token issued on the first client access to microservice 1 api)
-> WSO2 APIM -> JWT Sent to -> Microservice 2
It is not enough to propagate the JWT to APIM, Microservice 1 needs to issue a new access token to consume the microservice 2 API, and it is precisely in this process that the token-exchange fits.
Reading the WSO2 APIM All in One documentation, I didn't see anything related to the token exchange process, I only saw about the JWT Bearer, but I don't know if it contemplates this scenario that I reported above.
If you want to pass the JWT that you send when invoking an API resource, you can enable it by adding the following configuration in deployment.toml file resides in <APIM-Home>/repository/conf directory.
[apim.oauth_config]
enable_outbound_auth_header = true
You can add the context path of the other microservice 2 in audience field of the Jwt and pass the request header's from microservice 1 to microservice 2 and then it will work
Related
I am in the process of building an microservice architecture with an angular frontend as ui component. Each microservice uses flask-restx and pycognito to secure its routes. The frontend uses aws-amplify to authenticate users. Each microservice expects a valid token for the secured routes, which is validated in the respective backend. In the aws user pool we created multiple app clients. The goal is to authenticate once against the webapp and use the token to access all microservice backend. I already tried to find the correct solution in the aws documentation but had no luck until now. Maybe somebody could give me a hint what is the best practice solution to get this done right.
Keep it simple and stupid (KISS).
I cannot see any use-case of multiple app clients.
Please follow the steps below at microservices end:
Cognito uses asymmetric keys to generate jwt token.
So, get the public key from Cognito by this code link.
Decode that jwt token by public key link.
Authentication will be done by above step. if invalid token is passed in request header jwt.decode function will raise exception link.
Decoded payload contains sub and store that sub in distributed db (dynamodb, SQL)
One can store custom attributes and assign Cognito user to group. This will help to authorize the individual users on the microservice side.
I hope that gives you a hint to go ahead.
There is any webservice providing by WSO2 Identity server, to remove a session for specific user to specific ServiceProvider?
I am using SAMLSSO for many web application and they all are integrating with WSO2 server.
Now let's say scenario is,User is login with 2 application at the same time. I want to logout it from one application.
There is one service provided by logout and it's providing single logout and session will be remove for all application. There is webservice provided by IS or way to achieve logout for one specific application ?
What you are asking is to have the capability of removing a specific participant from the session created in the Identity Server side. I don't see a straight forward way (OOTB) of achieving this.
Closest you can achieve is as below.
Make your application perform a forceAuth. ForceAuth will request for user credentials despite having the cookies in the browser. (This will prevent the user from experiencing the SSO comfort. Still you can authenticate against the IS)
Prevent the application from sending an SLO request to WSO2. Rather, terminate the self(application) session upon logout.
When your application really wants to perform an SLO (logout all the applications, not just yours), your application can send an SLO request to the Identity Server.
Performing a force authentication :
SAML - Send forceAuth=true as a query paramter in your login request. Or else change the SAML AuthenricationRequest payload body to indicate a force authentication as in the spec(Line 2042).
OIDC - Send prompt=login as an additional query parameter in the /authorization request.
You can do this by calling the REST API and SOAP API provided by WSO2 IS. This will remove the session at WSO2 IS but I'm not sure if it will also trigger the SLO to other service providers or not.
Reference:
https://is.docs.wso2.com/en/latest/develop/calling-admin-services/
https://is.docs.wso2.com/en/latest/develop/session-mgt-rest-api/
Trigger a SOAP request getUserProfile from the UserProfileMgtService.wsdl. The default user profile will be 'default' or you can put the customized profile name you used. This will return the details. Grab the user id from this.
Trigger a GET to the API: /{user-id}/sessions with the user-id from step 1 to get the list of all active sessions this user currently have. Go through the list of sessions and find the session ID of the Service Provider you need to clear.
Trigger a DELETE request to API: /{user-id}/sessions/{session-id} with the user id from step 1 & session id from step 2
I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.
I have the two applications that both support SAML2 SSO using WSO2 Identity Server. During application bootstrap (when still no user request is processed) i need one of the applications to get information from the other using REST call. However this REST call should provide a SAML token for security purposes. I need a way to remotely get SAML2 token and use it for REST calls. I have read a post about rest sts client without esb however i can't find a sample code on how to get a SAML token for my REST calls. What is the way to obtain such SAML token? Is there sample source code?
You can follow this blog [1] get passive STS sample. But if you are using WSO2 Identity server 5.0 user interface bit different than in this blog.
[1] http://dulanja.blogspot.com/2013/09/passive-sts-java-sample-with-wso2.html