Options for securing REST based service for iOS/Android app - web-services

I am working on a web application implementing online shopping functionality. I am using Struts2 + Spring + Hibernate. I am using Spring security to implement authorization and authentication.
Now my client wants to develop an iOS/Android App for the same where users of my web application can login and use some of the functionality using the app.
Mobile App will access the REST based web services on JSON which will be implemented using Jersey. Here are my questions:
Users are going to have a role from three of the roles. Depending on the role they should be able to access the specific resources. I am thinking about using Spring Security 2.0 with Jersey and authenticate the users using OAuth 2.0. Is OAuth 2.0 right applicable choice?
Also, Jersey doesn't support oAuth 2.0 on server side. Still I guess I should be able to use any other OAuth provider to secure Jersey services right?
If oAuth is not the right choice then what I can use to provide role based authentication and authorization for Mobile App users to my REST web services.

Don't forget you can use simple HTTP BASIC auth (with SSL, of course).
For comparsions of OAuth versions, see this.

After having to deal with the same problem I did some research and currently I can see 3 solutions.
Pivotal actually have a piece of software which they use for their cloudfoundry services, called UAA (User Account and Authentication) Server. You can deploy this to your own server, and it's role is basically to provide OAuth2 access tokens. You will need to create your own Resource Server which will serve different resources if the correct OAuth token is provided in the request. (they have a couple of sample apps in the UAA repo which you can use) https://github.com/cloudfoundry/uaa
Google actually provide services like that. If you host your backend on appengine you can use cloud endpoints to expose your API and they take care of Authentication and Authorization.
https://cloud.google.com/appengine/docs/java/endpoints/
You can create your own architecture. Basic approach would be to have an Authorization server (to generate tokens), an Resource Server (to serve your API) and some sort of storage for users and tokens.
Hope that helps a bit, I'm personally going to go with the UAA to try it out.

Related

Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?

I'm facing the following scenario:
There are several companies each one with its own OpenID Connect Identity Provider (IdP) which federates users from their respetive LDAP servers. These providers are used to perform SSO in the context of each company.
There's a requirement to create an application that offers a common login for all the users of those companies.
The idea is to provision or use an existing cloud solution (AWS Cognito, Google Cloud Identity, etc., ...) that offers a shared login screen but delegates/federates the actual login to each of the company IdPs.
Are there any solutions that allows this?
Could you point at any documentation/guide to implement it?
This is just standard OAuth and OpenID Connect behaviour, with these 3 roles:
Application, uses OIDC to redirect to ...
An Authorization Server, which you own, and which redirects to ...
An Identity Provider
So you need a standards based authorization server and to configure your app as an OAuth Client. Then include the openid scope so that OpenID Connect is used. SAML based identity providers can also be supported in this flow, even though your app only uses OIDC.
The way to manage this with best usability, is for the authorization server to present a usernane authenticator, which captures a user identifier first, such as an email. It then runs some custom logic, such as a user lookup, to determine which IDP to route the user to. The user then authenticates at the IDP.
After authentication, the IDP issues tokens to the authorization server, which validates them, then issues its own tokens to the application. In particular the app gets an access token whose scopes and claims you can control. Your app can then send these to your APIs, which can authorize access to business data correctly.
Aim for behaviour similar to that above, or adjust it based on your preferences. Then trial it, eg with a cloud or Docker based authorization server, and ensure that you select one with sufficient extensibility to meet your requirements.
Note also that Stack Overflow answers should not recommend particular vendors, so I have not done so.
There is a solution called cloudpods using which you can manage both on-prem and public cloud resources. Cloudpods supports integration with multiple cloud providers like aws, GCP, azure, alibaba and etc.,
Is there any OpenID Connect Identity Provider that can delegate autentication to other OpenID Connect IdPs?
Yes. https://github.com/apereo/cas is one. You can set it up as an OIDC identity provider and have it then delegate to as many OIDC Identity providers as you want.

Programmatically create GCE OAuth2 Web App credentials

My company has a standard format for web apps, and I'm building a tool that programmatically provisions resources for new ones. The apps have federated login via Google, so I need to create a new OAuth2 web app clientId within Google/GCE. It can be done manually from the Credentials page like this, but I'd like to remove all manual steps from app setup.
So far I haven't been able to find any API endpoints or SDK functions that would allow me to create a new app, set its redirect url, etc. I have found the service account credentials API, but as far as I can tell that does not include functionality to provision new OAuth apps.
Is there an API I'm missing that can do CRUD operations on OAuth credentials/clientIds? Is there some other way to do this?

Creating Application for other enterprise to SSO and list directory users?

I am trying to create a web application. This app is a B2B PAS model.
One of the features of the app is, an organization using GSuite, can onboard our system and then all its users can log in to our software using their org's google ids. However, in the application, one user can assign task to another user in org. So our application should be able to list all users of the org too.
How can both these features be achieved?
I have tried the SAML approach, by creating a custom app from Gsuite admin console. However, can SAML be extended to also list users from the organizations which the SAML app belongs to? (Basically trying to use the Google Cloud Directory API)
What other alternative approaches should I look for if pure SAML doesn't work out?
P.S tech stack I'm using is Nest JS for backend and Angular for frontend
If I am understanding properly you are looking for the way to populate all users/ID from organization to your SAML App. Single sign-on (SSO) allows users to sign in to enterprise cloud applications using their managed Google account credentials, more details here in set up your own custom SAML application. It is also possible to Set up SSO using 3rd party IdPs.
However, Google supports several industry standard protocols like OAuth 2.0, OpenID Connect 1.0 and SAML 2.0 for handling authentication, authorization, and single sign-on. You can take a look at authenticating corporate users in a hybrid environment for more details.

Secure REST API deployed on Elastic Beanstalk

I have developed a set of Jersey-based REST APIs and deployed them to a Tomcat application server running on Elastic Beanstalk. Our application architecture requires that these REST APIs be accessed from an AngularJS web front end. The web front-end requires user authentication and we want all the accesses to these APIs to be restricted to users who are authenticated. This is a pretty common application architecture pattern.
Now mapping this architectural pattern to AWS services, we configure a Cognito user pool to authenticate users. We map this user pool to an identity pool, to which we attach a policy that allows for access to Beanstalk applications. From here, I don't know what to do next in order to configure secure access to REST APIs. A number of areas in this technical architecture are still not clear to me.
1) How to secure REST APIs on the server (i.e. AWS) side
Because we are using Tomcat container to host Jersey application, the "standard" JEE approach is to declare security constraint in web.xml, as demonstrated in the example below:
<security-constraint>
<web-resource-collection>
<url-pattern>/rest/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I am wondering if this role-name "admin" will be ingested by Elastic beanstalk? So if I defined a role "admin" in IAM, and specify the above stanza in web.xml, will Tomcat app server at runtime perform the check? In my application, if I use standard SecurityContext.isUserInRole("admin"), SecurityContext.getUserPrincipal() etc, what kind of values will be returned?
2) web front end service invocation
because we are using AngularJS, the standard approach is to use the built-in $http service to invoke remote REST APIs. Suppose a user logs in through Cognito successfully, and obtains a JWT access token, how should we pass it to the http call to the REST API? Will AWS Javascript SDK automatically add proper HTTP headers to the $http service call or we need to handle this explicitly in our code?
I have researched quite a bit in the Elastic Beanstalk documentation, in particular the section of "integration with IAM service". However, the documentation does not seem to cover my questions above.
I would like to understand:
1) architecturally, how my questions above could be resolved in AWS Beanstalk. I am sure it can be done as it is a common architectural pattern. I just couldn't find the right answer in the documentation.
2) is there a pointer to some sample code? I went through some Java web app samples and built one by myself. However, these samples do not cover my requirements above.
Appreciate if any friend could enlighten me on this topic.
zx999

How do I add security to my WSO2 ESB?

Such as two factor authentication, 3rd party OAuth, Connecting to LDAP.
I have added the above security to Wso2 Identity Server. But please help me achieve the same with Wso2 ESB.
Thanks
Where you want to add the security? What you want to secure?
I see two parts where the user security may play role in ESB:
For the carbon (management) console, I may disappoint you, that may not be so simple. See the Custom carbon authentication . It seems you need to enable other authenticators or add your own (see the file authenticators.xml, they are disabled by default) and "patch" the carbon to use it. However - for our best practices the management console (and the management services) should be not accessible from untrusted network .
If you're talking about securing the web services, this is not something an end user (person) is accessing. Ok - excluding the REST services. There are multiple options available to secure web services. From basic authentication (and username token), to STS (security token service), signing and encrypting the payload. See Securing web services, however here we assume some knowledge about the service security.