How to use JWT with Ballerina - wso2

I read about JWT and i think i understand how it works, but when things come to ballerina examples i don't understand anything:
How do i set the algorithm which i want to use along with JWT and the expiration time?
How do i use a custom private key?
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
I'm absolutely new to security and ballerina also. Can anybody help please?

Ballerina JWT module [1] provides following functionalities.
Issue a JWT
You can issue/generate a JWT by providing jwt:JwtIssuerConfig. You can configure username, issuer, audience, expiration time, signing algorithm, custom claims and configuration for signature (key-store config). Please refer to API docs of jwt:JwtIssuerConfig [2]. Example code can be found at [3].
Validate a JWT
You can validate a JWT by providing jwt:JwtValidatorConfig. You can configure expected issuer, expected audience, clock skew, cache configuratons and configurations for validating signature (trust-store config). Please refer to API docs of jwt: JwtValidatorConfig [4]. Example code can be found at [3].
Secure a service with JWT
You can use JWT to secure and HTTP service. The Authorization header of the inbound HTTP request will get validated and authenticated according to the provided configurations. Please refer to API docs of jwt:InboundJwtAuthProvider [5]. Example code can be found at [6].
Calling to a service with JWT
You can use JWT to call to an external server which is authenticated with JWT. The outbound HTTP request is prepared with the Authorization header according the provided configurations. Please refer to API docs of jwt:OutboundJwtAuthProvider [7]. Example code can be found at [8].
Answers for the questions:
How do i set the algorithm which i want to use along with JWT and the expiration time?
You can configure jwt:JwtIssuerConfig [2] as described above.
How do i use a custom private key?
You can configure the jwt:JwtKeyStoreConfig field of jwt:JwtIssuerConfig [2], with your custom private key.
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
This is a sample service which is secured with JWT. The token used to invoke this service is provided at the bottom of the sample. How to invoke this service with CURL is also provided.
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
All of the above samples, does not need any database or file store. All the configurations are provided in the code itself. If there is any requirement to retrieve data from database, that is also possible.
References:
1 https://ballerina.io/learn/api-docs/ballerina/jwt/index.html
2 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtIssuerConfig.html
3 https://ballerina.io/learn/by-example/jwt-issue-validate.html
4 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtValidatorConfig.html
5 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/InboundJwtAuthProvider.html
6 https://ballerina.io/learn/by-example/secured-service-with-jwt-auth.html
7 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/OutboundJwtAuthProvider.html
8 https://ballerina.io/learn/by-example/secured-client-with-jwt-auth.html

Related

need access token to authorization and access token is provided with another service with Basic Auth. Does WSO2 have this feature?

I need this feature in WSO2 Publisher or Devportal:
I have one api that need dynamic access token and Also I have another api with static Basic Authentication to provide that dynamic Access Token. Unfortunately I could not solve this with mediation. The policy is simple But I don't know whether WSO2 has this simple feature or not?
process: token api with basic Auth ==> provide dynamic access token ==> use access token in main api body and send.
Main API is our Endpoint in WSO2 API.
I could not solve this with Endpoint Security(Oauth2) and mediation(XML).
Version of WSO2-AM is 4.1.0 and this version is latest now.
Have you thought about using a vault, such as Hashicorp Vault, to fetch the the basic auth credentials.
From there use a custom sequence [2] that gets the token (step 1 in your diagram) and then get the token check results you need (step 2).
[1] https://apim.docs.wso2.com/en/latest/install-and-setup/setup/mi-setup/security/using-hashicorp-secrets/
[2] https://apim.docs.wso2.com/en/latest/reference/mediators/sequence-mediator/

Authorizing REST API calls to GCP

I am totally new to GCP products. I am trying to create and manage the resources i.e. Virtual Machines using the REST API's provided in the documentation. One of the endpoints which I am trying is
GET https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances?key={API_KEY}
Though to make authorized calls to the platform I need to configure the OAuth 2.0 authentication for which I created the relevant service account. I am not sure how to further use it to authorize the requests. Any leads on this would be greatly helpful. Thanks!
Edit:
I intend to call the REST APIs from Python. Not sure if that's the right way.
I was finally able to authorize the API calls to GCP by creating JWT, serializing it to UTF-8 representation (UTF-8 is important), signing it using the google client library google.auth and finally making a request to https://oauth2.googleapis.com/token having passed POST parameters grant_type = urn:ietf:params:oauth:grant-type:jwt-bearer and assertion whose value is the signed jwt for the token using the signed JWT token.
Reference: https://developers.google.com/identity/protocols/oauth2

Validate AWS SIGv4 signature in Lambda

We have a serverless backend which is protected by IAM in API Gateway. We have another in-house authentication solution and we want to support both Authentication mechanisms in our service. I was planning to write a Custom Authorizer with authentication chain supporting multiple Authentication.
However, I couldn't find any way to validate AWS Sigv4 signature on backend. I found AWS docs on how to sign a request or calculate Sigv4 signature ([1], [2], [3] and [4]), however all these docs are from client perspective in which client will have access to ACCESS_KEY_ID, SECRET_ACCESS_KEY and SESSION_TOKEN. When custom authorizer lambda will receive the request it'll have only ACCESS_KEY_ID (in Authorization header) and SESSION_TOKEN (as additional header). So re-calculating signature on backend is not possible. How can I validate the signature at the backend to authenticate?
This post might be a duplicate of How to verify AWS SigV4 signing which is still unanswered. Solution suggested in this question still need SECRET_ACCESS_KEY.
[1] https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
[2] https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-examples-using-sdks.html
[3] https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
[4] https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
(Caveat: I'm talking out my ass a bit here and haven't tried to implement this myself, just going off first principles.)
My understanding is that SigV4 is symmetric crypto, since it's using HMAC which is symmetric. That implies that there's no way for your lambda (an untrusted 3rd party) to verify the signature without having the key itself (in this case, the "secret access key"). If you had that key, well, you'd be able to impersonate that user. Probably undesireable :P
With a session token, you have to include the session token in a request header, as you mentioned (probably because otherwise no one could tell which session token you signed it with; there's no corresponding AWS_SESSION_TOKEN_ID). That means you actually could verify the signature, but only the request's integrity: you don't know if that session token actually belongs to the user in question.
So I think you're hooped unless AWS verifies it for you.

Self-contained JWT for oauth

I am fairly new to wso2is.
I added an SP with oauth/oidc and got the client credentials.
But when I call the token endpoint to generate an access token (client_credentials flow), I get a guid/reference token. How do I get a self-contained JWT?
Also, the discovery endpoint and introspection not available in 5.2.0?
TIA.
As of now there are is no out of the box solution to get self-contained JWT as an access token from WSO2 Identity Server. However, we have an extension point[1] to write one to suit your requirements.
If I give you the steps in short,
Write an accessToken issuer class implementing this interface. Instead of the GUID, you return the signed JWT.
Create jar and add it to IS_HOME/repository/components/dropins
Add the fully qualified classname to IS_HOME/repository/conf/identity/identity.xml by adding a <IdentityOAuthTokenGenerator> tag under <OAuth> section.
Check out the default accessTokenIssuer code to get an idea[2]. Discovery endpoint and Introspection endpoint have been added in IS 5.3.0. Try out the alpha version from [3]
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuer.java#L25-L25
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuerImpl.java
[3] https://github.com/wso2/product-is/releases/download/v5.3.0-alpha/wso2is-5.3.0-alpha.zip
Update
Follow this blog post https://medium.com/#hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6#.s0q3xt6od to get your use case done :)

Can I implement custom token generation (fully customized) API Token in WSO2?

I want to implement a custom code for token generation or you can think of removing OAuth2 from the WSO2 implementation and incorporating my specific APIs for token management. Is this possible? If yes, then please guide me how to achieve the same.
If you need to customize it fully, It means that you need to completely remove the OAuth2. There there is no worth of it. But; if you just need to customize some behaviors of the OAuth2, It can be done easily. There are several extension points for it. One main extension is that customization of OAuth2 grant types. You can find details from here and some sample for it. It may helps to do some major customization of the OAuth2 flow. Hope it would help for you.
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message. If you wish to use a different (or a custom generated) authorization token than the application generated access token, you can use it as a token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization token that is different to the authorization token generated for the application.
Add the following sequence content in to a file and save it as XML file.
Log in to the API Publisher, create a new REST API
Navigate to the Runtime Configurations tab, enable the Message Mediation in Request flow. Engage the In sequence that you created earlier and click Save .
If the API is not in PUBLISHED state, go to Lifecycle tab, click REDPLOY to re-publish the API.
Go Developer Portal, subscribe and obtain a token to invoke the published API.
Install any REST client in your machine. We use cURL here.
Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that the backend expects, i.e., 1234, in the Custom header with the authorization token that the system generates in the Authorization header.
curl -H "Authorization: Bearer " -H "Custom: Bearer 1234"
NOTE
is the token that you got in step 20.
appears on the API's Overview page in the API Developer Portal. Copy the HTTP endpoint. If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
Note the response that you get in the command line. According to the sample backend used in this tutorial, you get the response as "Request Received."
FOR MORE EXPLANATION, PLEASE VISIT THIS LINK
[LINK] : https://medium.com/#PrakhashS/passing-access-token-to-oauth2-protected-backends-wso2-api-manager-7d0671a0afca