I have API configured with OAuth Bearer token in WSO2 gateway. In Postman, i pass the Authorization Bearer token and Gateway authorizes and my service is invoked.
Now i want the authorization token in the Header. Only Body is coming to service. The token in the Header is not coming to the service. What configuration should be done in WSO2 publisher or WSO2 store in order to acheive this?
In conf/api-manager.xml, change value of "RemoveOAuthHeadersFromOutMessage" to false. Authorization header will not be removed and it will be available in the backend. This change needs to do in the gateway node.
Related
On the AWS side it needs to be orchestrated in such a way that on receiving both Access and Bearer token as comma separated it has to call the application API using the bearer token in the header. My app login works now post cognito login but signs out immediately back to the login page. Can someone please suggest .I am using JWT authorizer
Thanks if anyone can help me. I am building a cognito user pool + API gateway solution in AWS. Now the configuration is done but the token is not working. Here is how I tested,
I used API endpoint
https://mydomain/login?response_type=token&client_id=5gjg8956um7bf2h5c3fuav1o46&redirect_uri=https://www.example.com
to get a token, here is the result.
https://www.example.com/#id_token=eyJraWQiOiJiTTcrSVlMUHBHVTBQK3FnTmkrMWxSeGFyNjRrb3hxYUluemptZllMTmZ3PSIsImFsZyI6IlJTMjU2In0.eyJhdF9oYXNoIjoiMmJXdHU5STVMQUJkQWFTSmM5S3ZtQSIsInN1YiI6ImYwNDk3NjgwLWJlNDEtNGNlZC1iMzQ4LWQ0NTg3M2Q5OTg2MSIsImF1ZCI6IjVnamc4OTU2dW03YmYyaDVjM2Z1YXYxbzQ2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV2ZW50X2lkIjoiODIyMWI3MjQtMzI5ZS00ZGJjLThjZjktZjhlMjY5NWFiNjkzIiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE1OTM5MDg1MjEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5hcC1zb3V0aGVhc3QtMi5hbWF6b25hd3MuY29tXC9hcC1zb3V0aGVhc3QtMl9Qa1ROR1RPNzIiLCJjb2duaXRvOnVzZXJuYW1lIjoiZjA0OTc2ODAtYmU0MS00Y2VkLWIzNDgtZDQ1ODczZDk5ODYxIiwiZXhwIjoxNTkzOTEyMTIxLCJpYXQiOjE1OTM5MDg1MjEsImVtYWlsIjoicWlhby5saUBob2xtZXNnbGVuLmVkdS5hdSJ9.lkTA49l_EQpWnhiLnKdbBR1anA0H4psFwEEBJuWgwQ6Iwg_GVZgvl3Sf0_p8OF-_vgRvcGbg1uI7nJdcTBs5EAcLV75AKfglQT7UjWXQtv10D7lh86sLNmIuLWRcJDV-8iCNSlHeFqJnBcskEH4yTXJI03s7Ikp9ZVZiNDW-wZzt6fW3n1SEtfN57sV4xvknByJBqswwUv07vL3URGk60MLMfLex16vVijBVHOhvMwWByEOpvWFMH3jY0NrGjx9ty5U4I-Bq1OvwJlR5SGPz2OjiPMdXnGM8eA-E8AUHjY8VtFIW4Ec6d74axlw7qMIayUHL8UaNMKKHSDM_giIpMg&access_token=eyJraWQiOiIxOEpWY2hGcWowQndhNjkxdUFlWW5IVThxdWdaWVhxOW9FaGFZNUd3cGtZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmMDQ5NzY4MC1iZTQxLTRjZWQtYjM0OC1kNDU4NzNkOTk4NjEiLCJldmVudF9pZCI6IjgyMjFiNzI0LTMyOWUtNGRiYy04Y2Y5LWY4ZTI2OTVhYjY5MyIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoicGhvbmUgb3BlbmlkIHByb2ZpbGUgZW1haWwiLCJhdXRoX3RpbWUiOjE1OTM5MDg1MjEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5hcC1zb3V0aGVhc3QtMi5hbWF6b25hd3MuY29tXC9hcC1zb3V0aGVhc3QtMl9Qa1ROR1RPNzIiLCJleHAiOjE1OTM5MTIxMjEsImlhdCI6MTU5MzkwODUyMSwidmVyc2lvbiI6MiwianRpIjoiMjVkM2MzMTYtNDNkMS00OTY5LTg3YTQtOTkxNWE3YzE0Y2FiIiwiY2xpZW50X2lkIjoiNWdqZzg5NTZ1bTdiZjJoNWMzZnVhdjFvNDYiLCJ1c2VybmFtZSI6ImYwNDk3NjgwLWJlNDEtNGNlZC1iMzQ4LWQ0NTg3M2Q5OTg2MSJ9.J0j9jZFzEG8gjowipZdJ_O_uXUKP5Jyk5PrZvWf5yVZ4jbdoJpgom3IcxFcaDvXbTkB_NNx9soq8Prc-whpYrjQ9RxDTd3Fb6ZyDOXhRaVQAmQSnagVr0_jPhH9Bw4_AS_4jNy4t27yDufpOnEgNWQW1sy96zpuaLFHJYAQblaJCxt_qbf_KETRDCil8ap63XUbAElaCvnSRrIGCcXmVOPChUMDSHVDu4CoMm9cgRQvj-kWFKP96YEO62tFa4_gZk1CICvjFEi7VCH0tvN9JVe8baSHm2GL1jaTeoUeE0jmGPGxGc-7fDBY37JjPbnPiHDZlm3D8eGE1AhO5qI3rng&expires_in=3600&token_type=Bearer
I verified the token on https://jwt.io/ and it is decodable. However, when trying to test the token in test tool in API gateway Authorizer, I got a 401 error.
Also, I tried to post the request in Postman as well and the result is also 401, with the following result.
{
"message": "Unauthorized"
}
My take is that if I can get a token through the endpoint, the token must be correct, right? How can I troubleshoot? thanks
Now I used the "wild rydes" app to sign in for a token, and the token will pass the Authorizer test in API gateway, also Postman API call is working.
Still, the token generated by "Hosted UI" in the Cognito does not work, as in the original question.
The Cognito authorizer on your API Gateway will accept either the ID token or Access token, depending if you specified an OAUTH scope to the API Gateway method when adding the authorization.
The Authorizer test on API Gateway will only accept the ID token. So I would suggest checking that you are getting a token from the correct Cognito UserPool that matches your API Gateway Cognito authorizer and then check your API Gateway method to see if you specified an OAUTH scope. If specified a scope, this scope will need to be in the Access token sent to API Gateway. If no scope specified, send the ID token.
How to setup wso2 api gateway.
Is it possible to modify/customize behavior of WSO2 gateway
We have our own OAuth server and want to redirect each and every request to OAuth server for authorizing request.
Once request is authorized then gateway should redirect that to back end service/api
We want add some filtering logic as well.
Yes, this is possible with third party key manager support in WSO2 API Manager [1].
The basic idea in here is when generating a token, the token request will go to the OAuth server of yours via the key manager component of API Manager.
When an API request comes in, the gateway send the token validation request to the key manager component of the API manager. From here, you can call the OAuth server of yours to validate the token.
To accomplish your requirement you have to write your logic in Java language. Sample can be found in [2].
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configure-a-third-party-key-manager/#configure-a-third-party-key-manager
https://github.com/wso2-extensions/apim-keymanager-okta/blob/OKTA-OAuth-Client-2.0.0/docs/config.md
I'm using WSO2 6.5.0, i created proxy service which calls external REST API,
But I have to add Bearer Token to the Header,
Please refer the below question :
How to call rest service from wso2 proxy service using BEARER Token?
Since ESB is working stateless, you have to set Bearer token from the client-side and send the request to the ESB.
Where I'm At
I'm currently working through setting up Auth0 delegated authentication for AWS API Gateway. I've followed the documentation and tutorials below with the exception that I have an app in place rather than their example apps:
https://auth0.com/docs/quickstart/spa/angular2/aws
https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/
https://auth0.com/docs/client-platforms/angular2
https://auth0.com/docs/integrations/aws-api-gateway/part-2
What is Working
Auth0 sign on from my Angular2 app is working correctly and I'm getting a token.
Auth0's AuthHttp component is attaching the bearer token to the Authenticate header when I call the AWS API Gateway.
What is Not Working
Status 403 response from AWS API Gateway indicating a Cloudfront IncompleteSignatureException; "Authentication header missing equal-sign".
The authentication header is
Authentication: Bearer edJ0e...[I've truncated for brevity]
Could AWS be expecting a different type of authentication which uses key value pairs? How to I tell AWS API Gateway that it should be looking for a JWT?
I'm guessing you have AWS_IAM authentication enabled for your API Gateway endpoint. You need to disable that if you aren't planning to use it. If you plan to use AWS_IAM authentication in addition to JWT then you will have to send the JWT token using a different field.
From part 5 of the Auth0 tutorial you linked:
The final step is to pass the JWT to the method from the browser
client. The standard method is with an Authorization header as a
bearer token, and you can use this method if you turn off IAM
authorization and rely solely upon the OpenID token for authorization
(you will also need to map the Authorization header into the event
data passed to the AWS Lambda function). If you are using IAM, then
the AWS API Gateway uses the Authorization header to contain the
signature of the message, and you will break the authentication by
inserting the JWT into this header. You could either add a custom
header for the JWT, or put it into the body of the message. If you
choose to use a custom header, you'll also need to do some mapping for
the Integration Request of the POST method
Based on the error message, it sounds like you've configured your API for AWS_IAM authentication. This requires your request be signed with AWS Signature Version 4.
In order to execute API Gateway functions you will need to do 1 of 3 things:
Get AWS credentials via IAM/STS as noted in the auth0 example and use those to sign your request.
As noted in Mark B's answer, follow the instructions in step 5 of the tutorial from auth0 and disable AWS_IAM auth and do the validation inside your Lambda.
Switch to use a custom authorizer to validate the JWT directly at the API Gateway layer. This would require you to take the code Auth0 provides to validate the token then build your own authorizer result.
(Posted on behalf of the question author).
Update
Both Mark B and Bob Kinney are correct. What I did (and you may have as well) is jump around in the various Auth0 links I posted at the top of this question and attempt to use their angular2-jwt library (with the AuthHttp component) to adapt the tutorial to Angular2 while following along with their 5-part example of setting up Auth0 with AWS API Gateway. The AuthHttp component will automatically put the JWT Bearer token in the "Authentication" HTTP header which is incompatible with an AWS API Gateway call secured by IAM authorization. As these gents showed me, this is explained in part 5 of the tutorial. If you only made it to part 4 and it's not working hopefully this answers your question as it did mine.
Update 2
The Auth0 Angular2 tutorial has been updated to reflect Angular2 rc 1. https://auth0.com/blog/2015/05/14/creating-your-first-real-world-angular-2-app-from-authentication-to-calling-an-api-and-everything-in-between/