My Scenario:
I have 2 services
Account Service: ASP.NET Web API with Identity Framework that is responsible for individual users to register, login, password reset, change password.. etc.
Order Service: WCF Restful Service that is responsible for Business Logic
What I am trying to do is as follow:
1) Have my mobile client register/login via Account Service to obtain an Individual Account Bearer Token
2) Upon Client send request to Order Service, they will pass this Bearer Token in the Header
My Question is: How can my WCF service validate this Bearer Token? Please feel free to correct my architecture, and or Sample code would be great!
I will tell you work around
you will create simple API controller WCFAuthorizationController which contains only one simple Action IsAuthorizedBearerToken( that will check if this bearer token is valid or not
Then update behavior for wcf service or add any custom configuration
to call /WCFAuthorization/IsAuthorizedBearerToken before executing operation contract, so
if action IsAuthorizedBearerToken return status code 401 (== not authorized) you will return not authorized to mobile agent
else you will execute WCF call
I hope this is clear
Related
Here is my understanding of the token exchange flow:
First i should follow this section of the docs: https://developers.tapkey.io/api/authentication/identity_providers/
After I created identity provider, I want to register my test user using this endpoint https://developers.tapkey.io/openapi/tapkey_access_management_web_api_v1/#/Identity%20Provider%20Users/OwnerIdentityProviderUsers_Put
First question related to the endpoint above is, how do i authorize this request? On swagger documentation there is only clientCredential and AuthorizationCodeAuth options. Does this mean i need one of this types of authorization, so that i can authorize request from my server (from application point of view, lets say).
For endpoints like:
List all owners
Register user
etc.
Now let's say i registered a user, using client credentials to authorize a request.
I am trying to login, following Token Exchange section in docs.
There it says I need to use this POST https://login.tapkey.com/connect/token, i am formatting the jwt as said in the docs, and sending to this endpoint. I am using client_id from my token exchange oAuth client. I got an error with the following message, which is pretty clear to me, but i can't find the solution for it.
{ error: 'unauthorized_client', error_description: 'Client not authorized' }
Mostly, the listet authentication types in the swagger documents are to be able to test the endpoints within the swagger ui. So it is possible to create a oAuth client, pass it to the swagger ui and test the endpoints.
The endpoints itself do not differ between authentication type.
Depending on the purposes the authentication method should be used.
Authorization Code Flow
If you have a service, which works on behalf of a Tapkey user, the authorization code flow should be used.
E.g. you have a booking platform, and your customer should be able to grant access to locks owned by them.
It is not possible to use the authorization code flow to login into the Tapkey Mobile SDK and unlock locks. An authorization client can not request the therefore required scopes.
Client Credential Flow
For server 2 server communication to manage your services, e.g. for adding identity provider users or managing locks which are owned by your services, then the client credential flow would be a good choice.
For that, the client credential client must be authorized as an administrator to the specific locking system.
Token Exchange Flow
To login your users into your app and using the Tapkey Mobile SDK to unlock locks, you have to sign your own JWT tokens on your server and exchange then on the client with the token exchange flow.
Please be aware: It is not possible to use the authorization code flow to sign in as a Tapkey user and then exchange it via token exchange.
I am having WCF client which consumes SOAP based web service which has OAuth authentication. My WCF service gets consumed by some other service but my issue is about authentication when it consumes web service.
My WCF client, consumes web service using proxy generated classes approach. I am able to get Bearer token for OAuth authentication and pass it to request http header as well however, proxy generated class expects binding configuration as well.
var client = new ExchangeServicePortTypeClient("EndPointConfigurationName", "WebServiceURL")
I have tried basicHttpBinding, customBinding (AuthenticationMode="IssuedToken/IssuedTokenForCertificate/IssuedTokenOverTransport"), wsHttpBinding (security mode Message & ClientCredentialType 'IssuedToken" but no luck.
I am assuming due to wrong not supported binding configuration authorization bearer token I am sending is not getting accounted.
I am able to consume this web service from console application successfully where I am not using proxy generated classes approach. So I just required to pass authorization bearer token in header and no binding information.
request.Headers.Add("Authorization", "Bearer " + accessToken);
Can someone please suggest what binding information I should add in my WCF client which can support OAuth authentication ?
Thanks,
I have the MultiTenant web application that internally using different services and Restapi Service and login purpose username and password validation using WSO2IS and LDAP.LDAP is configured with WSO2IS UserStore.So when customer login into web application right now implemented like checking username and password is present in LDAP directory or not. Based on the LDAP directory response logging into the application.
Now I want to implement token-based authentication when client login into the application by using he/she tenant user credential, get the token from WSO2IS server, send token at the client side. So that while calling any service or RestApi call with using that token. If after time limit if it expire than regenerate the token And when the request to any service and Rest API validate token is valid or not. So if the valid token then only backend service send response otherwise send failure response.
I am stuck in the correct approach. I need exact approach for successfully implement authorization identity management service with WSO2 to handle access token for user validation and to validate Rest Service.
You can use OpenID Connect (OIDC) [1] in order to achieve your requirement.
OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
You can use WSO2 IS and integrate your client application with OIDC [2][3] and get an access token on behalf of the user to communicate with external APIs.
Also you can use the OAuth Introspection endpoint [4] of the WSO2 IS in order to validate the access tokens as for your requirements.
[1] https://openid.net/connect
[2] https://docs.wso2.com/display/IS570/OpenID+Connect
[3] https://docs.wso2.com/display/IS570/OpenID+Connect+Authentication
[4] https://docs.wso2.com/display/IS570/Invoke+the+OAuth+Introspection+Endpoint
I have web application which structure is as-
webapi : django web services [NOT REST] no security implemented
frontend : Angular2. authentication implemented via SAML
Database : Mongodb
Can you please suggest best way to secure webapi, as currently anyone can access web services who has server[api] url
It will be big help if you suggest the authentication and authorization flow because I am totally stuck.
Thanks in advance.
Implement an /authentication on your API which accepts Basic authentication. Make sure you do that over HTTPS. Username and password will be collected by your Angular app and sent back to /authentication. If the user authenticates, return a session token, for example JWT (check pyjwt).
All the following communications between the front and back should contain the token, which is issued only if the user authenticated. The token is inclued in the request headers and specifically in Authororization header using the Bearer schema:
Authorization: Bearer <token>
A JWT contains the username so you can use that on each future request. Furthermore, you are not required to keep record of the issued JWT since each one is self-contained and can have predetermined expiration data.
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.