I am using wso2is as my OpenID Provider to front a web application. I am then making service calls from my application through wso2 enterprise integrator using the OAuth Mediator and the Entitlement Mediator (using wso2is as my PDP).
This all works very well.
The problem comes when I go to log out the user.
I send the user to /oidc/logout on my wso2is server and redirect them back to logout url for my application. This also works well and logs the user out of the frontend application.
The problem comes if I then try and access a service using the logged out user's access token. It will happily allow me to access the service until the access token expires.
Ideally what I would like is that wso2ie will reject access to the service (either at the oauth mediator or the entitlement mediator stage) once a user has logged out.
I have looked at frontend logout, backend logout, and openid session management and I am not sure what is the best fit for what I am trying to do.
I have also looked at the oidc/revoke endpoint which feels like it does exactly what I need it to do but I have not been able to get it to work properly. No matter how I make the request it always complains that that client id is not in the request (even if I explicitly set it in the data being posted)
Below is my service definition in wso2ei
<?xml version="1.0" encoding="UTF-8"?>
<!--Here is the service definition-->
<proxy xmlns="http://ws.apache.org/ns/synapse"
name="ManagerPage"
startOnLoad="true"
statistics="disable"
trace="disable"
transports="https">
<target>
<inSequence>
<property name="scope" scope="default" type="STRING" value="openid"/>
<oauthService password="admin"
remoteServiceUrl="https://a8auth-dev.ls.cbn:8443/services/"
username="admin"/>
<entitlementService callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.OAUTHEntitlementCallbackHandler"
client="basicAuth"
remoteServicePassword="PASSWORD"
remoteServiceUrl="https://a8auth-dev.ls.cbn:8443/services"
remoteServiceUserName="USER">
<onReject>
<send>
<endpoint>
<address uri="https://a8services-dev.ls.cbn:8443/noperm/"/>
</endpoint>
</send>
</onReject>
<onAccept>
<send>
<endpoint>
<address uri="https://a8services-dev.ls.cbn:8445/manager/"/>
</endpoint>
</send>
</onAccept>
<obligations/>
<advice/>
</entitlementService>
</inSequence>
</target>
<description/>
</proxy>
Do I need to create a mediator component that will check the OpenID session management? Maybe this already exists?
Do I need to extend the OAuth Mediator to better check sessions status?
Any example, links, or pointers in the right direction would be great.
Thanks.
The OIDC spec only specifies how to deal with the authenticated session of the user (although access token is a part of the response). So in the OIDC logout, we simply deal with terminating the authenticated session of the user.
Revoking the token obtained along with OIDC login goes beyond the spec. Even in our current implementation, this is not something straightforward since we do not maintain a correlation between the id_token and the issued access token.
However, we have an extension point introduced with [1] that can be used for a similar requirement during OIDC logout flow. Something to note is that even with this extension the correlation between id_token and access token needs to be handled by the extension developer.
[1] https://github.com/wso2/product-is/issues/3227
Please follow below link as well for better explanation
http://wso2-oxygen-tank.10903.n7.nabble.com/Validity-of-access-token-after-OIDC-SLO-td158896.html#a158919
It turns out I was using the wrong id for the token I was trying to revoke. Once I started using the jti attribute from the jwt everything worked as expected.
Related
I need to configure a set of apis which are secured and uses client credentials and password alone with client key and secret key.
And how to track the users that are trying to access the API.
I tried by adding proxy mediators.
By default, the API which you will create in WSO2 API Manager will have secure feature.
You can secure the APIs with
oauth which comes inbuilt in the application or
you can integrate the WSO2 Identity Server to be used as Identity Provider for WSO2 APIM.
Below link will show how to create and publish APIs in APIM Manager.
[https://docs.wso2.com/display/AM250/Create+and+Publish+an+API]
Once you are able to invoke the created API, you can check the usage of that API by checking on the Analytics profile for it. You can have it integrated with the API Manager.
Below link is useful to setup Analytics profile for APIM 2.5.0
[https://docs.wso2.com/display/AM250/Configuring+APIM+Analytics/]
Once the Analytics is setup for APIM, you can use the DB to fetch the usage of the APIs.
To solve your query, this is how you should proceed.
You can add a custom sequence in the inflow of the API ( you can do that from API Publisher only by editing it) [https://docs.wso2.com/display/AM260/Adding+Mediation+Extensions]
Sequence Code will be like below:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="custom-sequence_name">
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="accesstoken"
value="put your token here"
scope="transport"
type="STRING"/>
</sequence>
This above one is for token for backend which is static. For dynamic token you can create a sequence accordingly.
This should solve your query :)
For dynamic, go here [How the external authentication handled in WSO2 APIM for an external/Third Party APIs
If your backend is oauth secured then you can use one of the following methods
Method-1
OAuth mediator which can be used for generating OAuth 2.0 tokens and for calling the backends that are secured with OAuth 2.0 protocol. Refer this.
Method-2
writing a mediation sequence which generates an access token for the backend and making a connection to the OAuth 2.0 secured backend.Refer this blog.
I have endpoint from thirdparty that require us to authenticate.
The response from endpoint authenticate is a cookie session.
I need to fetch the cookie response from this authentication endpoint, and then to call another endpoint (e.g : search endpoint) with this cookie.
I'm trying without wso2 and no problem with it, and the problem is while using wso2 ESB.
I have successfuly request endpoint authentication via wso2 ESB and, the response is return success,
Then i try to call another endpoint (e.g : search endpoint), the response is 403 forbidden (authenticate failed), that mean cookie is not send/set in search endpoint.
How can i fix this ?
I have try :
1. WSO2 ESB Getting a cookie from transport header with multiple cookies
2. In WSO2 ESB, how to store cookies and use them later for authentication?
Thanks a lot
Have you set the cookie?As you haven't provided details of your code.
<property xmlns:ns="http://org.apache.synapse/xsd" name="Cookie" expression="$trp.Set-Cookie"></property>
<property name="Cookie" value="JSESSIONID=1" scope="transport"/>
If the response from first call is a cookie session then i would suggest that you can write the session in a registry file so that you can fetch the session whenever you want.
I used WSO2 Publisher application to create & publish an API with following configs:
Context = a
Version = v1.0
URL Pattern: /b/{bId}/c/{cId}
HTTP Verb: GET
Endpoint Type: HTTP Endpoint
Production Endpoint: http://backendserver:port/services/rest/GetXYZ
In the store I subscribed to the API, generated an application token and invoked the API with following URL:
https://gatewayserver:port/a/v1.0/b/123/c/456
However, when the gateway calls the backend service it somehow automatically changes the endpoint to the following:
http://backendserver:port/services/rest/456
instead of the expected:
http://backendserver:port/services/rest/GetXYZ
I verified the synapse config of the API and it captured the endpoint correctly as defined. what changes that backend endpoint automatically? How can it be avoided?
What version of Api manager are you using? if It is API manager 1.10, you would get a request to backend like this for default http endpoint
GET /services/rest/GetXYZ/b/123/c/456
The default behavior is appending the resource path to the backend endpoint when request is going out from the api manager
ex: if endpoint is http://test.com/abc and api has a resource defined as /testresource/123 then the request would be http://test.com/abc/testresource/123 to the backend with the default endpoint type (HTTP endpoint)
If you want to call the backend without appending the resource to the request, you can add the following property to the synapse configuration.
<property name="REST_URL_POSTFIX" scope="axis2" action="remove"/>
You can do this by using the mediator extension feature provided in API manager. see
https://docs.wso2.com/display/AM1100/Adding+Mediation+Extensions.
following is a sample extension file
<sequence xmlns="http://ws.apache.org/ns/synapse" name="removeresource">
<property name="REST_URL_POSTFIX" scope="axis2" action="remove"/>
</sequence>
Upload this and then import this to the 'IN flow' sequence in the api. see https://docs.wso2.com/display/AM1100/Change+the+Default+Mediation+Flow+of+API+Requests
Is there any way in WSO2 API Manger, to read a parameter value from the request xml/json (payload) and based on that value, route the request to different backend endpoints?
You can try using mediator extensions.
The API Manager has a default mediation flow for the API invocation requests that it receives. You can extend this default mediation flow to route the request.
First write a sequence file to change the flow. Sample sequence as
follows.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="YahooWeather2">
<property name="YQL"
type="Expression"
expression="concat('?q=select%20*%20from%20weather.forecast%20where%20woeid%20in%20(select%20woeid%20from%20geo.places(1)%20where%20text%3D%22',syn:get-property('uri.var.zipcode'),',',syn:get-property('uri.var.country'),'%22)format=json')"/>
<property name="REST_URL_POSTFIX" type="Expression" expression="get-property('YQL')" scope="Axis2"/>
</sequence>
To upload the sequence file to APIM, login as admin go to main->
Resources-> Browse
Go to /_system/governance/apimgt/customsequences/in. from the
tree view
Click on Add Resource upload the sequence file you created.
Login to API Publisher ,select the api and click on edit and go
to Manage tab.
Click on check box for Check to select a custom sequence to be
executed in the message flow and in the In Flow dropdown
select your sequence(in sample case YahooWeather2) and do
Save & Publish .
Login to API store and subscribe the api and generate an access
token.
You can check availability from API Console in API store. for ferther details refer https://docs.wso2.com/display/AM191/Change+the+Default+Mediation+Flow+of+API+Requests
I have a third party service that I need to call from my AXIS2 web service that I have deployed into a WSO2 App Server.
I would like to store the username and password for the third party service in the Carbon registry, however, I want to protect the sensitive data (e.g. secretpassword), so it isn't visible in the clear by DBA's who have access to the registry data.
SomeService= new SomeService(
new URL("https://some-server:9443/service"), "admin", "secretpassword");
Ideally, the sensitive data would be encrypted.
Question: Does the registry support encrypted data?
A similar question has been asked here, but I haven't been able to find any more information.
For encrypting certain properties of a resource, you can use the Encryption Handler by adding the following config to registry.xml (as described in this thread):
<handler class="org.wso2.carbon.registry.extensions.handlers.EncryptionHandler">
<property name="propertyNames">foo,bar</property>
<property name="encryptContent">true</property>
<filter class="org.wso2.carbon.registry.core.jdbc.handlers.filters.MediaTypeMatcher">
<property name="mediaType">application/vnd.wso2.foo</property>
</filter>
</handler>
To secure the secret information in WSO2 Carbon configuration files you can use secure vault as described here.