Wso2 PDP authentication method - wso2

I want to use Wso2 as Policy Decision Point but i dont really like that it uses Basic Auth.
Is it possible to change the authentication method for the XACML requests ?
Can i use SSO for example?

I don't know about changing the authentication methods in WSO2 IS itself, but one option for strong authentication would be to setup and apache or nginx reverse proxy that uses client certificate verification. The endpoints making the XACML requests would need a certificate signed by a CA that you create, so it would only work if you had a few specific endpoints you wanted to make requests.

Related

Securing backend with WSO2 Identity Server and WSO2 API Manager

I have an API that is exposed through WSO2 API Manager, it is secured by OAuth2 so client must pass an apikey, token or credentials in order to get access to resources. So far so good. But now, I'd like to protect backend's endpoint as well. Backend only accepts calls from API Manager (IP security) but it is open, I mean, if someone with access to APIM's host does the call, it will accept since there is no authentication between them.
I would like to use Identity Server to protect backend but according to APIM documentation, supported endpoint security are BASIC or DIGEST.
What is the best approach to implement BASIC/Digest auth in SpringBoot backend and use WSO2 Identity Server as user registry? This way I can centralize every security details to a single solution.
Thanks in advance.
If you use basic auth or any such, your back end might have to do another API call to WSO2 to validate that token. Instead, you can pass a self contained JWT token from the API manager to the backend. So that the back end can validate that the JWT is issued by the API manager it self using using the certificate without relying on anything else.
From this way you can verify if the call was made y API Manager, additionally the end user as well from the JWT content.
Doc : https://apim.docs.wso2.com/en/latest/learn/api-gateway/passing-end-user-attributes-to-the-backend/passing-enduser-attributes-to-the-backend-using-jwt/?fbclid=IwAR1JT9DLOclmA-xw0Ev9C2Xrje5EDGrDBnmMkfDKMcbxTlCLf0swSPucMfA

Using AWS API Gateway for Lumen based REST API Service with Passport authentication hosted in EC2

I am entirely newbie in Amazon Web services. Currently i am developed a REST API service using Laravel's micro frameworks called Lumen. I am using passport for token based authentication and all that working fine. I need a proxy server to hide my actual endpoints and do some other functionality so i am planning to use AWS API Proxy Gateway and host the API endpoints in EC2 instance.
i went through Build an API with HTTP Proxy Integration from Aws documentation. but there is nothing about using a custom authentication using Oauth.
My Doubts are
How to use Passport authentication when using AWS API Gateway
Is there any good method to hide my REST Endpoint from customer and need a way to change the proxy end point from time to time.
I don't know Laravel ecosystem, but:
if passport expose something like an OpenId Connect you could use Cognito Federated Identities for, precisely, federate your identity, and associate the authorized identities with a given IAM role and unauthorized with another role;
you can use an Api Gateway Custom Authorizer to perform fully customizable auth;
Try expanding your question so we could add more details...
Yes, like what BAD_SEED said, you can use API Gateway Lambda authorizer (formerly known as the custom authorizer) to do any logic to verify the token, since it's just a javascript package.
So, one option is like what auth0 does in (https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers/part-3) and (https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer). Their sample authorizer does followings:
It confirms that an OAuth2 bearer token has been passed via the Authorization header.
It confirms that the token is a JWT that has been signed using the RS256 algorithm with a specific public key
It obtains the public key by inspecting the configuration returned by a configured JWKS endpoint
It also ensures that the JWT has the required Issuer (iss claim) and Audience (aud claim)
But unfortunately, Passport does not support JWKS endpoint (which exposes public key for the token signature). So you may have to expose it by yourself.
Another option is much easier, you just make a token verification endpoint in your application, something like /users/me, and protect it with auth middleware. Then in your Lambda authorizer, call it with the token in the request to your other micro service endpoints. By this way, all token verification stuff is left to Passport, and the authorizer just executes policy based on the result of the verification.
Not very sure about what you want to reach, but API Gateway is just a proxy, so you can certainly change backend side endpoints for its frontend one, which is better not changing so often.

How to use WSO2 AM to call my backend services that are secured with OATH

Using my API Gateway WSO2, I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token). But I cannot find how to do that.
It's even mentioned on the WSO2 website that by using API publisher (of WSO2 AM) you can only configure your APIs to call services secured with username/password : https://docs.wso2.com/display/AM210/Working+with+Endpoints
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Do you know if there is another way to do this without using the API Publisher ?
Mu browser (SET API Gateway Access-Token) -- API Gatewau WSO2 (SET my Backend services Acess-Token) --> My backend services
Thank you !
You cannot call backend services secured with OAuth through APIs created in the API Publisher. At the moment, you can call only services secured with username/password.
Out-of-box from the API Publisher you can directly authenticate with the backend using Basic authentication (username and password)
Do you know if there is another way to do this without using the API Publisher ?
well - the Publisher app is always involved
I want to call my backend services (my endpoints) that are secured with OAuth (ACCES-Token)
There are multiple ways how to authenticate with the backend, not all are so straightforward
Basic authentication (this is what you don't want)
JWT token - the API Manager is able to send a signed JWT token with the API calls to the backend and the backend service could authenticate and extract client details from the JWT token.
Using the inbound mediation configuration you could manipulate the request payload and metadata
With the point 3 you should be able to send a custom OAuth/Authorization header. The question is - with what identity provider your service is authenticating/authorizing?
The problem is that there's no unified configuration how your service's client (API manager calling the backend) would fetch / cache / refresh / revoke the token which would work with all possible identity providers.
In theory you could implement the OAuth authentication with external IdP using the inbound mediations (sequences), but I strongly urge do not put anything complex as API mediation for sake of maintainability (been there, done that, screw it badly)
Maybe the simplest option would be having a permanent token you could pass in the HTTP headers, it sounds simple enough.
There is a custom Oauth2 mediator which you can try. https://github.com/imesh/wso2-oauth-mediator

How do I add security to my WSO2 ESB?

Such as two factor authentication, 3rd party OAuth, Connecting to LDAP.
I have added the above security to Wso2 Identity Server. But please help me achieve the same with Wso2 ESB.
Thanks
Where you want to add the security? What you want to secure?
I see two parts where the user security may play role in ESB:
For the carbon (management) console, I may disappoint you, that may not be so simple. See the Custom carbon authentication . It seems you need to enable other authenticators or add your own (see the file authenticators.xml, they are disabled by default) and "patch" the carbon to use it. However - for our best practices the management console (and the management services) should be not accessible from untrusted network .
If you're talking about securing the web services, this is not something an end user (person) is accessing. Ok - excluding the REST services. There are multiple options available to secure web services. From basic authentication (and username token), to STS (security token service), signing and encrypting the payload. See Securing web services, however here we assume some knowledge about the service security.

wso2 identification server authorization api

I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.