I have the following setup on the same machine:
WSO2-AM
WSO2-IM-KM (Identity manager as key manager)
The identity manager federates authentication to an external OpenID identity provider.
What I've done so far:
Share the databases between the two components
Make WSO2-AM delegate the authentication to WSO2-IM-KM
Configure the external provider to the generated service provider (generated in WSO2-IM-KM when creating an application in WSO2-AM store)
The current behavior:
I can obtain an authorization code by calling the following URL : https://my.site:9444/oauth2/authorize?response_type=code&client_id=pkYcC4xFQ1jt6dQbdZAe6savv4oa&scope=phone+email+address+openid+profile&redirect_uri=https://my.site:9443/store/jagg/jaggery_oidc_acs.jag&nonce=3734e7d4c22f1&state=128d20e14c884, the authentication succeeds, then the jaggery_oidc_acs.jag endpoint fails
Since the jaggery_oidc_acs.jag endpoint fails, I manually retrieve the code then POST it to https://my.site:8243/token which returns me an access_token, a refresh_token, and an id_token
My problems :
How am I supposed to automate the manual step I described before? Am I in charge of creating a dedicated endpoint to do it, in order to keep the authorization_code obfuscated from the client, or is there a built-in endpoint in WSO2? If appropriate, what is this endpoint?
Is there an endpoint that generates the oauth2/authorize URL?
After further research:
I have found the following document https://docs.wso2.com/display/IS540/Authorization+Code+Grant that seems to indicate that I need a "client", but I don't have one, I just need my API to be authenticated with the external identity provider.
Answering to problem 01
If you want to use authorization code grant type to get access token definitely there should be a callback URL to get authorization code. If your callback URL is real no need to do any manual step, simply just retrieve authorization code from request query parameters sent to callback URL. You can check this behavior from playground2 sample application [1] where callback URL is http://localhost:8080/playground2/oauth2client.
Answering to problem 02
Please check OAuth2AuthzEPUrl tag in identity.xml
[1] https://docs.wso2.com/display/IS570/Setting+Up+the+Sample+Webapp
Related
So, I understand how OIDC works for the most part. I know how to solve this question if we use OIDC directly (without AWS handling it for us). The browser would just send their access_token to us for all async calls, and we could verify it against the OIDC UserInfo service that's hosted by our OIDC provider.
The AWS implementation doesn't expose any of these common OIDC values to the browser though, and just gives us their proprietary encrypted cookies like AWSELB. This is fine, for super basic sites where you don't care about actually authenticating the user once they're authorized, but we care about both.
We could also generate a proprietary "session key" when our callback is hit, and use that instead of the AWSELB cookie... but it seems like reinventing the wheel. Certainly, there must be a way to let our backend application code just reuse the AWSELB cookie to verify the identity of user? AWS documentation mentions no such webservice to allow us to validate that cookie from our server code.
The load balancer provides the IdP's access token as a header: x-amzn-oidc-accesstoken; you should be able to validate this against the IdP. It also provides user claims in a header: x-amzn-oidc-data.
See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding
I read about JWT and i think i understand how it works, but when things come to ballerina examples i don't understand anything:
How do i set the algorithm which i want to use along with JWT and the expiration time?
How do i use a custom private key?
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
I'm absolutely new to security and ballerina also. Can anybody help please?
Ballerina JWT module [1] provides following functionalities.
Issue a JWT
You can issue/generate a JWT by providing jwt:JwtIssuerConfig. You can configure username, issuer, audience, expiration time, signing algorithm, custom claims and configuration for signature (key-store config). Please refer to API docs of jwt:JwtIssuerConfig [2]. Example code can be found at [3].
Validate a JWT
You can validate a JWT by providing jwt:JwtValidatorConfig. You can configure expected issuer, expected audience, clock skew, cache configuratons and configurations for validating signature (trust-store config). Please refer to API docs of jwt: JwtValidatorConfig [4]. Example code can be found at [3].
Secure a service with JWT
You can use JWT to secure and HTTP service. The Authorization header of the inbound HTTP request will get validated and authenticated according to the provided configurations. Please refer to API docs of jwt:InboundJwtAuthProvider [5]. Example code can be found at [6].
Calling to a service with JWT
You can use JWT to call to an external server which is authenticated with JWT. The outbound HTTP request is prepared with the Authorization header according the provided configurations. Please refer to API docs of jwt:OutboundJwtAuthProvider [7]. Example code can be found at [8].
Answers for the questions:
How do i set the algorithm which i want to use along with JWT and the expiration time?
You can configure jwt:JwtIssuerConfig [2] as described above.
How do i use a custom private key?
You can configure the jwt:JwtKeyStoreConfig field of jwt:JwtIssuerConfig [2], with your custom private key.
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
This is a sample service which is secured with JWT. The token used to invoke this service is provided at the bottom of the sample. How to invoke this service with CURL is also provided.
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
All of the above samples, does not need any database or file store. All the configurations are provided in the code itself. If there is any requirement to retrieve data from database, that is also possible.
References:
1 https://ballerina.io/learn/api-docs/ballerina/jwt/index.html
2 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtIssuerConfig.html
3 https://ballerina.io/learn/by-example/jwt-issue-validate.html
4 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtValidatorConfig.html
5 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/InboundJwtAuthProvider.html
6 https://ballerina.io/learn/by-example/secured-service-with-jwt-auth.html
7 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/OutboundJwtAuthProvider.html
8 https://ballerina.io/learn/by-example/secured-client-with-jwt-auth.html
I am developing a web application using EC2 on AWS.
In this application my client is requesting to use his SSO (Single Sign On) so I can verify the user against his Active Directory. My problem is that I can't get to know where to begin with, these are some of my questions:
1) Is this SSO takes place on my code or on my server?
2) Do I have to make different configuration for differents deployment environments (for example aws, azure, digitalocean, etc)?
3) Where do I define, send and parse SAML 2.0 format?
4) Do I have the send a POST request to the server where the SSO is installed? Or how is it managed?
So far I have found this tutorial, but I am still do not know what to do first, so any step by step information will help a lot.
First you need the client (Identity Provider IdP) SAML2 metadata. This will have their SSO endpoint URL and their X509 signing certificate.
Then you send them your SAML2 metadata with your Attribute Consumer Service (ACS) URL and X509 signing certificate.
Sample metadata here. Or you can build it here.
The certificates are normally long lived self signed certificates. They can be self signed as each side has a copy of the other's certificate which they will use to verify the signed request and response.
You construct a SAMLRequest and POST it to their SSO URL. There's an example request here.
They display their login page to the user and the user authenticates at their end.
They gather attributes for the user from their Active Directory and turn them into SAML attributes and put them in a SAMLResponse.
They POST the SAMLResponse to your ACS URL. There's an example response here.
You verify the signature on their SAMLResponse using their X509 certificate from their SAML2 metadata.
You extract the SAML Attributes from their verified SAMLResponse and take appropriate action in your application, e.g. create the user an account, perhaps their email address is one of their attributes.
The above is called the SAML2 Web Browser SSO Profile, explained here.
Depending on your stack, you can use something like:
Shibboleth (middleware, install on your server, it interrupts requests to specific paths requiring Authn against the Identity Provider [ADFS], and returns the user after successful auth setting some attributes telling you info about the user such as username, etc.). Works best if you can compartmentalize secured content into a particular path on the site like /secure.
SimpleSAMLphp (protect PHP resources directly)
Commercial SAML (ComponentSpace, etc. - works well if .Net app)
Basically, find something for your stack. DO NOT TRY TO ROLL YOUR OWN SAML IMPLEMENTATION!
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
I am new to WSO2 Identity Server(4.6). I have a use case, where I have a rest service on ESB (WSO2 ESB 4.9). And I would like to give resource level access to various users.
I thought of using WSO2 identity server for authorizing the user and using the token for accessing the rest service. I was going through the playground example, but that is not something I would like to do, where the Authorize service opens the Identity Server Authorization Service. It seems to be sequential, and assumes that the user/resource owner are the same.
I would like to do all that programatically, and just give the aothorization code to the user, and let him call the token service to get the token. Is this possible?
Thank you
You can use the https://localhost:8243/token endpoint for your use case. You can refer to below links for more information
https://docs.wso2.com/display/IS500/OAuth+Token+Revocation+with+WSO2+Identity+Server
https://docs.wso2.com/display/AM190/Token+API