I created an application that's calling Oracle RESTful Webservices and i want to secure them with Oauth 2.0. I followed this tutorial 'Accessing the RESTful Services from a Third Party Application'
But when I try to get the access token, I get the error below: https://server:port/i/oauthdemo/gallery.html#error=access_denied&state=STATE
This document mentions that this error happens if the user denies the request. How can i approve the request? Is there any extra configuration that I need to make?
Related
I was curious how can see the revoke api end point exists.The url configured is
https://localhost:9443/revoke
But I could see the api listed under the started application or under api.
I even tried retrieving the wadl from the url but it did not return anything.
Do we need to explicitly publish it or it gets done automatically when we start the wso2server ? Or Do we need to install something other than the wso2 api manager to get this api?
When I browse the endpoint https://localhost:9443/revoke/?_wadl , I get error
405 - method not allowed
The port should be 8243.
And it's not a SOAP service.
Ref: https://docs.wso2.com/display/AM260/Token+API#TokenAPI-Revokingaccesstokens
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.
I am trying to create an authentication in ADF mobile where the login URL is the peoplesoft login page. When i give in the username and password in the emulator, it throws an error.\
Terminating
Authentication URL responded with an illegal response code.
It is not basic authentication end point.
Please contact administrator
I have followed the following tutorial
https://blogs.oracle.com/shay/entry/accessing_secure_web_services_from
Here instead of creating a remote secured login server, I want to use peoplesoft to authenticate.Any Ideas?
I have also seen somewhere that you can authenticate each web service you call by adding the username and password in the SOAP header. Any tutorials for ADF would be much appreciated and #Shay Shmeltzer any ideas would be helpful
Thanks
Oracle MAF only supports security authentication against HTTP Basic Authentication pages, so I don't think you can use peoplesoft login page to authenticate neither your application nor you web services.
Otherwise you can create a secure ADF page the validates login through peoplesoft login credentials(username-password) then deploy that page to a server and secure your MAF application using that page.
Some useful links
Accessing Secure Web Services from ADF Mobile
ADF Mobile - Secured Web Service Access
ADF Mobile Application Security
And about your second question yes you can customize the envelop header being send from MAF application to a soap webservice (add username and password or any other attributes) by extending the SOAPProvider class and add it to the datacontrol.dcx file as the provider for the webservice.
The only example I can find online
http://docs.oracle.com/cd/E37975_01/doc.111240/e24475/amxwebservices.htm#autoId3
I have a custom salesfoce webservice, but to access that webservice we need to login from salesforce enterprise wsdl. but i dont want to add that wsdl file. Is there any way to add login function on custom webservice or login with out that wsdl webservice???
Yes, see SOAP request to APEX webservice without requiring authentication.
go into the site detail page in setup, click Public Access Settings,
and then add the Apex Class there. This is effectively granting your
anonymous running user account (guest license) the ability to directly
access this class.
There are more detailed instructions at Public Web Services via Apex and Force.com Sites.
Note that your data exposed via this web service will no longer be secure.
As you mention, you need to authenticate, the login method is not included in the custom apex WSDL, you have lots of choices, depending on exactly what sort of app you're building.
Add either the enterprise or partner WSDL to your app and call login from there.
Use an interactive OAuth flow which will result in you getting an access token & instance Url, which you can then use with the apex WSDL.
Use a programamtic OAuth flow (username/password), again resulting in an access token * instance Url which you can then use with the apex WSDL.
if you have a web based app, you can create a custom link/tab in salesforce to pass you an existing serverUrl/sessionId info.
For the OAuth flows, you would pass the received access token in your apex requests as the sessionId (just like if you got it from login), and you would combine the host name from the instance URL with the path from the apex WSDL to set the endpoint URL of your stub.