I have an OpenIdConnect Identity Provider hooked up to the API Manager. I am able to authenticate and retrieve an access token using authorization_code and implicit grant types. The access token created by the OpenIdConnect IP is different than the access token returned by the API Manager Gateway. As I understand it, the key manager won't pass-through the access token from the OpenIdConnect IP but will store it and send a generated access token from the API Manager. The API Manager access token should reference the stored token from my OpenIdConnect IP.
Here is the problem... When I try to connect to a resource endpoint on the API Manager Gateway with the WSO2 Access token, the OpenIDConnect IP access token never gets passed back to the backend server. How can I get the OpenIdConnect IP access token to the backend servers?
Related
I need to develop a private API Gateway at the company where I work.
What left me in doubt is that when using amazon cognito's OAUTH2.0, it generates a URL for authentication.
But I didn't find anything on the web talking about such an authentication for a Private API.
This url for authentication of amazon cognito will always be exposed on the internet? Can I develop a Private API with a cognito private authentication url?
You can have a private api with public authentication, but there is no concept of private authentication with the Cognito User Pools hosted UI. End users will be able to authenticate, but not call your api unless they are in the VPC. This blog describes an approach if you don't use the hosted UI.
I have a project where I am hosting an ASP.NET MVC site on an AWS EC2 instance behind an AWS application load balancer (ALB).
I have an ALB listener "Authenticate" rule that takes any traffic that does not have a valid cookie and forwards it to the Azure AD OAuth prvoider (aka OIDC Autentication). The authentication works well, and goes as follows:
HTTPS traffic hits my ALB and since there was not a previous OIDC authentication it forwards the user to Microsoft's Azure AD authentication page for my Azure AD tenant.
On successful authentication, Azure AD forward the response to my ALBs response URL. This is where the Azure AD OAuth flow terminates.
The AWS ALB generates it's own OAuth token, which includes my original Azure AD username and claims, signs the JWT with it's own key, and forwards the request to my EC2 instance via a target group, with additional HTTP headers (X-Amzn-*) which include the AWS token info
However, I cannot figure out how to sign the authenticated user out. I have tried
Using Azure ADs own "outh2/v2.0/logout" URL with information about my tenant and client ID (application ID) and then specifying a logout page I have hosted behind my AWS ALB, This only logs out the Azure AD user, but when I return to my site home page the AWS ALB has persisted info via it's own cookie and forwards the traffic without redirecting to Azuure AD with the old AWS JWT (event if the "Exp" timestamp in the JWT has passed). These subsequent requests contain a cookie named "AWSELBAuthSessionCookie-0" whose value is the entire JWT encoded in Base64, but with a cookie expiration of 1 week in the future.
I have tried clearing the "AWSELBAuthSessionCookie-0" cookie both on the server side of my application and also in the client code (by setting expiration to some time in the past) prior to hitting my website home page again, but the "AWSELBAuthSessionCookie-0" is somehow magically restored containing the old, expired JWT
Is there a prescribed way to logout of an AWS ALB-authenticated session that used Azure AD (with a custom tenant, not the public 'common' tenant) as the OIDC provider?
I configured a Session timeout to be as short as 1 second to prevent users from reusing the old cookie.
The AWSELBAuthSessionCookie-0 is a session cookie containing the secure and httponly attributes issued by the load balancer. As this post points out, the cookie must be changed only on the issuing server.
I am trying to run a cloud run/ cloud functions service through google API gateway. I am using firebase authentication on the gateway as security.
Initially, I had my services private and was getting 403. It gave me 200 once I added allUsers with Cloud Run Invoker to the permissions to the service I am trying to invoke. So I am a bit confused here. Part of the reason I am using API gateway with firebase auth is to protect it against unauthorised calls. And for firebase auth to work, I had to add allUsers, making it public. My understanding was that the API gateway alone would be public while all the backend services that it invokes would be private. In this case, the service can be directly invoked by anyone, rendering the security at the API Gateway useless. How can I setup the backend to private and only respond to authenticated calls through API gateway ?
I am trying to implement ALB with OIDC for grant type Client Credentials.
I have given Issuer, Token endpoint, Client ID, and Client Secret, Authorization endpoint and User info endpoint in Listeners tab of ALB
But i get 400 invalid redirect_uri while trying to access the url.
We explored ALB for client credentials authentication but failed to implement that. After checking with AWS support team, we got confirmation that AWS ALB don't support Client credential authentication mechanism and supports only Authentication code flow.
We switched to AWS API gateway with lambda authoriser to implement client credential flow.
Architecture : Strictly Serverless
Cloud - AWS
I've an application load balancer (internal) in front of a private api gateway and the requirement is to protect the load balancer endpoint with the enterprise SAML IdP.
Lambdas, S3 are allowed, but Route 53, EC2 are not whitelisted to use on this account.
Problem here is what would be the relay state (final target) here after SAML authentication ? As the internal ALB and the private api gateway endpoints arent visible outside the AWS landscape, I dont understand how to land on the alb endpoint once the user is authenticated with the enterprise IdP ?
Many thannks !
To use the on-premise enterprise IdP with your ALB, the IdP and ALB must be able to talk to each other (via VPN or Direct Connect). you would then establish a trust relationship between your AWS account and the IdP and define an authentication action in a listener rule on your ALB.
Elastic Load Balancing uses the OIDC authorization code flow:
When users direct requests to your ALB, the ALB authentication
action will check if the session cookie exists on the incoming
requests and check its validity. If the session cookie is set and
valid then the ALB will route the request to the proper target group
containing identity information (JWT token via X-AMZN-OIDC-*
headers) that backend instances can use to identify the user. If the
cookie is not present, the load balancer redirects the user to the
IdP authorization endpoint so that the IdP can authenticate the
user.
The IdP then authenticates the user and redirects the user back to
the load balancer with an authorization code. The ALB presents the
code to the IdP token endpoint to get the ID token and access token.
After the load balancer validates the ID token, it exchanges the
access token with the IdP user info endpoint to get the user claims.
The load balancer creates the authentication session cookie and
sends it to the client so that the client can use it on subsequent
requests.
Source:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/