Is there a way to use Spring Security to connect with Facebook and then retrieve a token which will be used to do some operations on the Facebook Graph API (profile name, groups, etc ...) and then refresh that token as long as the user is using my app ?
After some search, I found a detailed tutorial using this stack : Spring Security 5, Spring Boot 2.2 and ReactJS. I recommend it for everyone searching for the same subject : https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/
Related
From the Google Doc, I see below are the options to fetch an access token for the directory API
Web server applications i.e Client Credentials
Installed applications (Mostly same as Client Credentials approach
which we currently support but with the use of applications
installed)
Client-side (JavaScript) applications (For JavaScript applications
that run in a browser)
Applications on limited-input devices (For Limited-input devices such
as TV, game consoles, video cameras, and printers)
Service Account
Reference Doc:
https://developers.google.com/identity/protocols/oauth2
Is there any API to Fetch an access token from SAML bearer assertion for the directory API and if yes then what information does this API needs and is there any Doc to do so
Example Directory API for which I am looking to connect -
Directory API used for user creation: https://www.googleapis.com/admin/directory/v1/users
Answer:
Unfortunately, at current Google doesn't support client authorization and authentication for their APIs via SAML 2.0 Profiles.
More Information:
As you've already pointed out, the only supported methods of fetching an access token at the present time are those mentioned in the documentation page titled "Using OAuth 2.0 to Access Google APIs".
Feature Request:
You can however let Google know that this is a feature that is important for access to their APIs, and that you would like to request they implement it.
Google's Issue Tracker is a place for developers to report issues and make feature requests for their development services, I'd urge you to make a feature request there. While there is no component for general OAuth2 or Authentication methods, given your requirements I would suggest filing it under the Admin SDK component which you can find here
References:
Using OAuth 2.0 to Access Google APIs | Google Identity Platform
Further Reading:
RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile
for OAuth 2.0 Client Authentication and Authorization Grants
We are using WSO2 API Manager 1.10 and WSO2 Identity server 5.1.0 for managing back end REST APIs which will be consumed by Android and iOS application.For a end user(Mobile App user) to access the APIs exposed,process followed is:-
1.User registers to WSO2 IS server using WSO2 SCIM create user API.
2.User request for access token which will be used for accessing the APIs.
We are planning to add Google and facebook sign in feature in our Mobile app which will help end user avoid user creation in WSO2 IS. Does WSO2 API Manager support this sort of implementation? if so,what are the cofiguration changes we need to do to our current setup?
You can achieve this using identity federation. IS will act as key manager as well as it can federate the authentication to facebook/google.
you can find how facebook can be configured to get access token in this blog[1]. Similarly you can add google for federation[2]
[1] http://nuwanzone.blogspot.com/2015/10/getting-access-tokens-for-wso2-api.html
[2] https://docs.wso2.com/display/IS510/Configuring+Google
I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well
My server based application is a java based rest service api .
How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.
can someone explain the best architecture for this in wso2?
if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?
thanks in advance
you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager
[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.
Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.
Token: https://localhost:8243/token
Revoke: https://localhost:8243/revoke
Authorize: https://localhost:8243/authorize
There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.
In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.
Then, as I mentioned here, you can use scopes to secure your APIs by roles.
Here's the scenario,
WS_A and WS_B are Web Services published in different endpoints.
WS_A receives personId, makes some processing, logs some data, and returns the name and the lastname of the Person with personId.
WS_B receives two Strings name and lastname and saves name+lastname in a database, then returns Ok/Error.
I need to publish an API API_Composition, using WSO2 API Manager, that will call WS_A, and send the result to WS_B, then return the result of WS_B.
Keep in mind that i can't make a new WS_C that has the behaviour of WS_A+WS_B, because i can't access the whole code of any of them.
Is there a way of doing this using only WSO2 API Manager?
Are there any other API Management products that can accomplish this requirement?
Regards
Yes, you can do this with mediator sequence. I have not found a specific tutorial for your scenario, but here's a blog post that has a demo on using mediator sequences and links to detailed documentation.
(Note: the demo and blog post are for WSO2 API Cloud - the hosted version of WSO2 API Manager. But it all works the same for API Manager - it is the same technology.)
Does the Google Apps Email Migration API v2 support 2 legged oAuth1?
I've looked at this answer, but I believe it refers to the older version of the Email Migration API: Does Google Apps Email Migration API support 2 legged oAuth?
I have been able to authenticate an Email Migration API request using OAuth1 w/ tokens, but all of my 2 legged OAuth 1 attempts have failed. I have tried including xoauth_requestor_id and it has not had an effect.
There is some hinting in the docs that OAuth1 w/ tokens may be required, but I was hoping to confirm that that is the case.
For example the docs say: "If your application has certain unusual authorization requirements, such as logging in at the same time as requesting data access (hybrid) or domain-wide delegation of authority (2LO), then you cannot currently use OAuth 2.0 tokens. In such cases, you must instead use OAuth 1.0 tokens and an API key."
It seems clear there that "tokens" are referenced, however the word "token" is also used to describe the Authorization request header, so it is less clear that this means OAuth1 request tokens.
Any help is greatly appreciated. Thanks!
The section you are referring to doesn't seem up to date. You can have domain-wide delegation of authority using OAuth 2.0. It's called Service Account. Once authenticated, you do exactly the same that you used to do with 2-legged OAuth 1.0.
Here are the steps you need to get started:
Go to Google Developer Console
Create a project if you don't already have one
Go to APIs & auth --> APIs and activate the Admin SDK
Go to APIs & auth --> Credentials and click CREATE NEW CLIENT ID
Select Service Account and click Create Client ID
Download the p12 private key file (and keep it safe !)
Go to your Google Apps Admin Panel
Go to Security --> Advanced Settings --> Manage OAuth Client Access (Direct URL: https://admin.google.com/AdminHome?#OGX:ManageOauthClients)
Enter the Client Id you just created along with the scopes you'll need, separated with commas (In your case, https://www.googleapis.com/auth/email.migration)
Go to your favorite language client library documentation and find how to authenticate using the private key file you downloaded earlier and also impersonate your domain users.
Hope that helps.