I have developed a custom grant type using the sample code provided by wso2 documentation https://is.docs.wso2.com/en/latest/learn/writing-a-custom-oauth-2.0-grant-type/. How we can map oidc claim to service provider and after generating access token based on the scope how can I get the claims while validating token. I have created custom token validator where I wanted to use scope claims wile validating token.
You can find the how to configure claims for a service provider from [1]. Also in your question you mentioned that you want to configure OIDC scopes with claims. You can refer [2] and in that you can find a topic called "Click to view vital information when configuring claims for an OpenID Connect Service Provider". Here you can refer the configurations that you need to configure.
[1] https://is.docs.wso2.com/en/latest/learn/configuring-claims-for-a-service-provider/
[2] https://is.docs.wso2.com/en/latest/learn/configuring-claims-for-a-service-provider/#claim-mapping
I have followed this(https://medium.com/identity-beyond-borders/handling-custom-claims-with-openid-connect-in-wso2-identity-server-56d3b6e4319b) article which clearly defines mapping of local and oidc scope and also service provder
Related
I am using WSO2 API Manager 4.1.0 and I am trying to configure it with a custom OAuth2 authenticator to provide different users to different tenants.
By following this guide, meant for Okta, I was able to make logging in and token claim-to-role mapping work, with some adjustments to the configuration to adapt to the custom IdP. Users can successfully login with the custom IdP, are assigned roles correctly, and can act accordingly in the publisher and developer portals.
However, I cannot figure out if there is any way to assign users to any tenant other than carbon.super.
The custom IdP I am working with uses e-mail addresses as usernames and, when enable_email_domain=true in the configuration file deployment.toml, users are created in APIM with said e-mail as their names, but if that setting is false (or commented), only the part before # is used. I thought this could be used to assign them to other tenants, but even if the e-mail domain is an existing tenant, the user is created in carbon.super.
I've noticed, when logging into carbon as admin, in the Service Providers section, under Local & Outbound Authentication Configuration for apim_devportal and apim_publisher, the Use tenant domain in local subject identifier setting. I am unsure what exactly this option entails, but checking it does not seem to change anything.
This article in the documentation talks about tenants, but does not cover this scenario.
Does anyone know how (if it's even possible) to assign a user to a specific API Manager tenant, instead of carbon.super, upon logging in via custom IdP (not Okta or Identity Server)?
same question here, i use Keycloak as Idp and not found solutions yet for multitenancy schema implementation
I am using WSO2 Identity Server-5.10.0 and API Manager-3.2.0.
Have created application in devportal and subscribed the APIs to this application.
In Identity server have enabled Role based scope validator for this service provider.
using below API to generate token:
https://IS_host/oauth2/token
After enabling Role based scope validator unable to generate token with scope=apim:subscribe and giving the error invalid scope.
user is assigned with the role -Internal/Subscriber
We are creating Application in Devportal and subscribing APIs to this Application.
We wanted to list the scopes associated with APIs which are subscribed to Particular application. hence we are calling below API to list scopes based on applicationId
https://AM_HOST/api/am/store/v1/applications/{applicationId}
To invoke this API we need to generate Token with scope: apim:subscribe, But after enabling Role based scope validator we are unable to generate token with apim:subscribe.
if we disable Role based scope validator, user will be able to generate token for all the scopes irrespective of roles associated with user.
The apim:subscribe scope is a reserved scope for API Manager REST APIs. Hence, it is not required to create an Application from the Devportal to generate the Tokens with it. You can perform a DCR operation straight to the API Manager to register a client and generate the Access Tokens with the API-M reserved scopes.
Further, I believe that you have configured the IS as the Key Manager by following IS-Connector approach. The Role Based Scope validator feature requires a set of DBs to be shared among the servers.
Hence, the best way to generate the API-M specific scope tokens would be as following
Perform DCR operation to the API Manager instance (not the IS)
This creates a client in the API Manager using the Resident Key Manager of the API Manager and responds back with the consumer credentials (client ID and secret)
Perform Password grant to generate the token using the received consumer credentials
You can learn more on performing the DCR and subsequent calls in Devportal REST API Docs
Hope this helps you to overcome the reported behavior.
I would like to use firebase auth to secure my AWS AppSync graphql api, as opposed to something like Cognito. There are several reasons behind this like pricing and us already using some other firebase services.
The only viable solution I can see atm is to somehow pass firebase user token to my AppSync graphql api and validate it through OpenID Conneect / OIDC.
I was not able to figure this out nor find any guides on the topic, so wanted to ask here if it is even possible, if so, could any examples be provided or perhaps use-full references?
Here are related fields that need to be provided to AppSync in terms of OpenID connect data https://docs.aws.amazon.com/cdk/api/latest/docs/#aws-cdk_aws-appsync.OpenIdConnectConfig.html
Do these exist for firebase auth?
Update: I was able to find some documentation on firebase token verification https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library
I believe following URL is what needs to be used as OpenID url setting in AppSync https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com
However AppSync documentation states that they append /.well-known/openid-configuration to such url and when I do that to googleapis url above, it throws 404.
AppSync expects an OpenID Connect Provider (OP). More specifically, it wants the OP's issuer; the rest of metadata is retrieved based on that. From AppSync doc:
OPENID_CONNECT Authorization
This authorization type enforces OpenID Connect (OIDC) tokens provided by an OIDC-compliant service.
Your application can leverage users and privileges defined by your
OIDC provider for controlling access.
An Issuer URL is the only required configuration value that you
provide to AWS AppSync (for example, https://auth.example.com). This
URL must be addressable over HTTPS. AWS AppSync appends
/.well-known/openid-configuration to the issuer URL and locates the
OpenID configuration at
https://auth.example.com/.well-known/openid-configuration per the
OpenID Connect Discovery specification
Firebase is (mostly) a middleware. Even though you could have a user account be residing in Firebase, a more typical use case is to plug in some provider such as Google or Microsoft into Firebase. You could then use Firebase APIs to perform various operations without having to know the details of the underlying provider.
Whether acting as middleware or as an identity store with users in Firebase, it's unclear if Firebase is an OIDC-compliant provider. OpenID publishes OIDC conformance tests as well as entities that have been certified. The only Google entity on the latter list is a "Google Federated Identity". Certification aside, Firebase does issue a signed JWT that according to them is morally equivalent to id_token in OIDC:
ID token verification
If your Firebase client app communicates with
your backend server, you might need to identify the currently
signed-in user on your server so you can perform server-side logic on
their behalf. You can do this securely by using ID tokens, which are
created by Firebase when a user signs into an Firebase app.
ID tokens
conform to the OpenID Connect spec and contain data to identify a
user, as well as some other profile and authentication related
information. You can send, verify, and inspect these tokens from your
own backends. This allows you to securely identify the currently
signed in user and authorize them into your own backend resources.
If you create a Firebase project, then authenticate via that and examine the issued token, you'll see the iss (Issuer) key in the token payload. It has a value of https://securetoken.google.com/<Firebase projectId> and that's the URL needed by AppSync.
You can confirm that OIDC metadata is available by concatenating /.well-known/openid-configuration with https://securetoken.google.com/<Firebase projectId> and doing a GET on the resulting URL. The expected response should look like this:
{
"issuer": "https://securetoken.google.com/<Firebase project id>",
"jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken#system.gserviceaccount.com",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
I need to integration SAML 2.0 with our app using Google Identity Provider
Hi
Our app is currently using Google Cloud Platform and Firebase in its architecture, and I've been assigned to integrate SAML 2.0 using Okta into the app. I am really confused with the different terms I've on both platforms. I've been following the guide on Okta and Google Cloud Platform but still unable to successfully crack this problem.
My questions are from both Okta and Google Cloud Platform side which I'll ask here one by one
Okta when creating a new Application
Audience URI (SP Entity ID) what is this ?
Default RelayState What is this ?
Identity Provider Single Sign-On URL:
Identity Provider Issuer:
Now Google Identity provider is asking for some fields, all I need to know which fields of Okta are relevant to Google Identity Provider
idpEntityId
providerId
rpEntityId
ssoUrl
I know this is a very basic question. But any help would be really appreciated.
Thanks
Implementation of Okta app with description :
Single sign on URL : The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
ex: https://your.domain.name/Controller/Action
Audience URI (SP Entity ID) : The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
ex: https://your.domain.name
Default RelayState :Identifies a specific application resource in an IDP initiated Single Sign-On scenario. In most instances this is blank.
ex: keep this as a blank .
Using Attributes Statement you can pass user email and first name and last name fields to service provider.
After completing setup "On SignOn Tab" click on "View Setup Instructions" where you can get "Identity Provider Issuer:" detail like : http://www.okta.com/XXXXXXXXXXX
where "xxxxxx" is unique. (you app identification)
For the Google Identity Provider fields:
IdPentityID: The SAML IdP entity identifier
providerId: The unique provider identifier. For a SAML provider, this must be prefixed by saml.
rpEntityId: The SAML relying party (service provider) entity ID. This is commonly the URL of the app. On the SAML identity provider, this is referred to as the audience. So this would be Audience URI or SP Entity ID from Okta.
ssoUrl: The SAML IdP SSO URL (Identity Provider Single Sign-On URL). This has to be a valid URL.
I found these links that may help you integrate SAML 2.0 with your applications. You can find how to Manage SAML and OIDC providers here [1], and how to use Okta to authenticate users here [2], and how to sign in users with SAML here [3].
[1] https://cloud.google.com/identity-platform/docs/managing-providers-programmatically#node.js
[2] https://cloud.google.com/endpoints/docs/openapi/authenticating-users-okta
[3] https://cloud.google.com/identity-platform/docs/web/saml#redirect
I’ve made a new Identity Provider and setup it’s SAML2 authentication to our Shibboleth IDP. How do I “login” using this new setup?
The login link still goes to the IS login page, which is desirable because I need to login as admin to fix things, but is there another login link which will redirect to the IDP?
If you need to provide federated authentication for your applications. Your applications can be connected with Identity Server as service providers. Then you can defined your external IDPs a trusted IDP. Each service provider, you can select multiple IDPs as out-bound authenticators. There is some blog about that uses saleforce as trusted IDP, you can go through it as well
If what you want is to login to IS using Shibboleth as IDP, you should edit IS_HOME/repository/conf/security/authenticators.xml to enable SAMLSSOAuthenticator and configure it with the required details.
As best I can tell, there's not facility for testing an Identity Provider. The only way is to actually use it by setting up the full chain. In my case I setup API Manager as a Service Provider in the Identity Server, and selected the Identity Provider (mentioned in the original question) as Federated Authentication for that Service Provider. Then I changed the API Store to use SSO (pointed at the IS). Finally by attempting to open the store I was bounced to the IS, then immediately on to the Identity Provider.
Unfortunately there are a lot of steps in this chain and a lot of things that could be set wrong. I was hoping to find a method for testing this one part but as best I can tell there isn't such a capability.