If WS-Federation/WS-Trust are deployed as part of a service to expose consumable ADFS endpoints, is there a dependency on Kerberos?
For example, if Web Application Proxy (WAP) servers were being implemented as part of an ADFS roll-out and the WAP severs were not joined to the domain, will this limit the ability to consume WS-Federation/WS-Trust endpoints exposed by ADFS?
No, WS-Federation/WS-Trust is independent of Kerberos. Kerberos is just one option out of a range of authentication mechanisms that can be used in combination with WS-Federation/WS-Trust but it is not the only one, nor is it a requirement. Also, proxy servers may be deployed independently of the authentication mechanisms for WS-Federation/WS-Trust unless you want to apply restrictions on those mechanisms.
Related
We currently have multiple APIs that are not behind a gateway. The APIs that are exposed publicly use OpenID Connect for authentication and claims authorization. Some of the APIs are internal only and are network secured behind a firewall.
We plan to setup Kong Gateway Enterprise in front of our APIs. We should be able to centralize token validation from public clients at the gateway. We could possibly centralize some basic authorization as well (e.g. scopes). Some logic will probably still need to happen in the upstream API. So, those APIs will still need to know the context of the caller (client and user).
Ideally, we would like to be able to have APIs that can be exposed publicly and also called internally to avoid duplicating logic. I'd like to understand some secure approaches for making this happen with Kong. Exactly how to setup the system behind the gateway is still unclear to me.
Some questions I have are:
Should we have both an internal gateway and an external? Is there guidance on how to choose when to create separate gateways?
If we have multiple upstream services in a chain, how do you pass along the auth context?
Custom headers?
Pass along the original JWT?
How can we make a service securely respond to both internal and external calls?
We could setup up a mesh and use mTLS but wouldn't the method of passing the auth context be different between mTLS and the gateway?
We could set custom headers from Kong and have other internal services render them as well. But since this isn't in a JWT, aren't we loosing authenticity of the claims?
We could have every caller, including internal services, get their own token but that could make the number of clients and secrets difficult to manage. Plus, it doesn't handle the situation when those services are still acting on behalf of the user as a part of an earlier request.
Or we could continue to keep separate internal and external services but duplicate some logic.
Some other possibly helpful notes:
There is no other existing PKI other than our OIDC provider.
Services will not all be containerized. Think IIS on EC2.
Services are mostly REST-ish.
There is a lot there to unpack here, and the answer is: it depends
Generally, you should expose the bare minimum API externally, so a separate gateway in the DMZ with only the API endpoints required by external clients. Your generally going to be making more internal changes so you don't want to expose a sensitive endpoint by accident.
Don’t be too concerned about duplication when it comes to APIs, it’s quite common to have multiple API gateways, even egress gateways for external communication. There are patterns like (BFF - Backend for frontend pattern) where each client has its own gateway for orchestration, security, routing, logging, auditing. The more clients are isolated from each other the easier and less risky it is to make API changes.
In regards to propagating the Auth context, it really comes down to trust, and how secure your network and internal actors are. If you're using a custom header then you have to consider the "Confused Deputy Problem". Using a signed JWT solves that, but if the token gets leaked it can be used maliciously against any service in the chain.
You can use RFC8693 Token exchange to mitigate that and even combine it with MTLS, but again that could be overkill for your app. If the JWT is handled by an external client, it becomes even riskier. In that case, it should ideally be opaque and only accepted by the external-facing gateway. That GW can then exchange it for a new token for all internal communication.
I am wondering whether it is possible to implement a Cloud Foundry-hosted service that other CF applications can subscribe to, with the following requirements, and (more or less) within the existing CF facilities...
The context of the question is converting an existing CF Java based appication to a reusable service that can be deployed only once and reused by other (mulually unrelated) applications, instead of every application (or application set) having to incorporate a privately deployed instance of the service.
In a nutshell, subscribing applications should be able to store their data in the service, and interactive users to access this data. (An example of the data could be messages for a particular user, work items etc. sent by the subscribing applications, and the service is responsible for aggregating them on per-user basis and displaying to a logged-on user the summary of data targeted at him.)
Thus, requirements would be:
CF-hosted applications should be able to dynamically subscribe to (and later unsubscribe from) the service.
Subscribing applications may either share or have different identity providers (IdP's) and UAA instances.
The service has two kinds of endpoints:
endpoints intended for app2service (REST etc.) calls by the subscribing applications
endpoints intended for interactive access by users registred in the IdPs of the subscribing applications
Service's interactive endpoints are (preferably) protected by scopes. It must be (preferably) possible for the service to export its scope definitions to the UAAs of the subscribing applications (or rather for subscribing applications/UAAs to import them at the time of design, deployment or subscription), and for the administrator of a given UAA to assign service-defined scopes to appropriate users registered through this UAA/IdP combo (i.e. one associated with the subscribing application).
4.1. At the barest minimum, interactive endpoints may be left unprotected by scopes, but they should require and trigger authentication (e.g. having "intercept-url access=isAuthenticated()" in their Spring security descriptors). The servlet should be able to retrieve JWT token and identify the user making the request.
There should be a way for a service to associate between userid namespaces and subscription ids.
Two different subscription contexts associated with two different IdP's may both have user "John" but these are two different Johns.
So when user John arrives to an interactive endpoint of the service, the service needs to be able to figure out which IdP/subscription set (and hence data set) this John maps to.
Or, conversely, when a subscribed app performs an app2service call, the service should be able to identify the subscription id of the caller, in an authenticated way, and then figure out which IdP it is associated with.
Either way, it is essential that subscription mechanism provides for an establishment of a mapping between a subscription id and IdP used by a subscribing application; the service will need to know this mapping.
5.1. Not too sure how exactly things are to work out when two different UAA instances point to the same backing IdP.
Perhaps UAA can present its instance identity, but can it be made to present (in the generated JWT tokens) the identity of the backing IdP, and can the latter be signed?
Is it something that existing CF facilities provide for or that can be implemented on top of them with some ease?
Thanks.
We are developing a merchant application in that we have various modules like Schedule, Booking, Invoice e.t.c, each of this module are runs in different server, those are exposed through as RESTful granular services. UI layer will communicate with these granular service accordingly. To identify the request and redirect to specific micro service runs in service layer of various sever we have created a service gateway. Some of the service required data manipulation on the go which is presently accomplished through Mule ESB and some routing activities are also managed through it.
Actual purpose of the Service gateway is to match the request with service dictionary available and redirect to the respective micro service, at present its been developed in j2ee framework and runs in wildfly server. So to achieve the same process in light weight manner we come across a micro service manager like"getKong" and Customising "nginx" server to manage microservices, Mule ESB.
Along with Service Bus management is it advisable to use the Mule ESB as MicroService maanager as like getKong or any other valuable suggestion ?
In my personal opinion, you have three options:
If you don't need to perform authentication/authorization or/and
Throttling and your routing can be quite complex/complicated than is
completely fine to do it in Mule ESB.
If you do just URL rewrite nginx is probally the best choice for
minimum overhead and maximum performances.
If you really need an API manager with all the rich features than is
fine getKong or, if you want to stay in the MuleSoft
world and your are willing to pay, you can have a look at API
Gateway.
Hope this helps
AWS authenticates accesses to its various API endpoints using a protocol consisting (on the client side) of user id, user secret and volatile session token. This protocol is lightweight and easy to use (as compared to SAML or GSSAPI based authentication), so I would like to use a similar approach with some web services not directly connected to AWS.
So the questions are:
Had Amazon published regarding the details of its secure token protocol somewhere?
Are there any implementations (desirably open source) of similarly simple and lightweight claim based authentication protocols? In particular, I'm interested in implementations that do not require complex external dependencies.
The presently used AWS authentication mechanism is called SigV4 and is documented in some details here:
http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
There exist several "stand alone" (not bundled with the rest of AWS api) libraries to handle SigV4 tokens on github.
I'm working on developing my first SOA web-based application. I'm extremely new to SOA and still trying to wrap my head around best design principles for service design, especially in the way that services should talk to another.
The current problem I'm trying to figure out has to do with authentication and authorization. Lets say I have a trivial user service and event service, where the event service represents events in a calendar. Is it general practice to have the event service call the user service to authorize the request? Or, would it be better practice to implement user authorization on a system that exists between the client and the requested service? The system, which is essentially just another service, checks to user credentials to make sure they have access to the requested action (GET events/1, etc) and if so, sends the request to the service. This service could also act as a central load balancer and cache...I just like the idea of keeping user logic outside of each specific service.
You can use siteminder as authentication and authorization. Only the client who has valid token can invoke the service. you could also have roles assigned in siteminder.