AWS authenticates accesses to its various API endpoints using a protocol consisting (on the client side) of user id, user secret and volatile session token. This protocol is lightweight and easy to use (as compared to SAML or GSSAPI based authentication), so I would like to use a similar approach with some web services not directly connected to AWS.
So the questions are:
Had Amazon published regarding the details of its secure token protocol somewhere?
Are there any implementations (desirably open source) of similarly simple and lightweight claim based authentication protocols? In particular, I'm interested in implementations that do not require complex external dependencies.
The presently used AWS authentication mechanism is called SigV4 and is documented in some details here:
http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
There exist several "stand alone" (not bundled with the rest of AWS api) libraries to handle SigV4 tokens on github.
Related
I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.
I wanted to know if GCP supports multi-factor authentication (MFA) or 2-Step Verification (2SV) for cloud API calls.
From this link: https://cloud.google.com/docs/authentication, I read the following:
"Google Cloud APIs only accept requests from registered applications, which are uniquely identifiable applications that present a credential at the time of the request. Requests from anonymous applications are rejected.
Application credentials provide the required information about the caller making a request to a Google Cloud API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys."
However, it does not specify if I can use these factors simultaneously.
Thanks in advance,
Vijay
I wanted to check we can use a custom node.js implementation as wrapper for exposing the API's for identity and user management using aws cognito.
We already have a bunch of API's (on ASP.NET identity) and would not want to change anything in the downstream systems. We would like keep the API signatures and just move the implementation to node.js server for identity and user management
The current examples on awslabs and the documentation is mainly targeted for using this under a web/mobile applications. Is there any guideline/sample if we can use this as an API wrapper.
Apologies if I'm misinterpreting the question, but are you just trying to use Cognito with node instead of on a web app? Are you asking about Cognito federated identities or Cognito user pools?
If federated identities, yes, that will be fine and you shouldn't have any issues. All of the APIs are available in the node SDK, and the general flow should be identical to any other non mobile flow.
If you're asking about user pools, it's a bit trickier. Authentication uses SRP to validate passwords, and the mobile/web SDKs do this for you. Outside of those, you'd have to implement it yourself, which is no fun at all. You could rip out the code that does it from any one of those SDKs (each are published on Github) to help with that. Alternatively, you could use admin no srp authentication, which carries the risk of sending the username/password over the wire but passes off the authentication to the Cognito server.
I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.
I'd like to run some stateless Java services on the Bitnami stack on AWS that will be consumed by apps... and of course to access these I'd need some type of authentication and authorization.
Previously with this type of architecture I've chucked an API gateway in front of them, to which the developer would subscribe. And AWS provides an API gateway, nice.
HOWEVER, while reading up on how to set this up on AWS I came across 'AWS Cognito' which is supposedly designed specifically for this same purpose.
So my question is are these two solutions comparable - are they doing the same thing?
And if-so, then what are the pros and cons of each, when would choose one over the other?
Basically because you are targeting the user level you should use Cognito; as it does provide you with authentication, reseting passwords for the user, and of course
signing up workflow. Moreover it provides user information to the admin, as well as two factor authentication, by using the user's mobile phone.
If you want to authorize the application to use an api then you use the API Gateaway.
The Cognito, is designed for user interaction it has an api for Java, JavaScript, iOS, and Android, so you can
implement the interaction with it at any level; as you wish. You also not getting changed if your user base is less than 50k.