What is the best practice on consuming the AM service from multiple servers?
Our application is running on multiple servers. This application want to consume a service on the API Manager. What happens if the access token is expired? If it asking AM to generate a new key, this key must be distributed to the others servers.
If access token is expired, application must be call to /token end point with refresh token that you have received and grant a new access token. It would return new access token and refresh token. However, as your application is running on multiple server. I guess access token keys that you have granted must be distributed (or persisted some where to share it) among server to share it. Following are the curl commands to grant access token with refresh token. But, if you are using client credential grant type, there would not be an access token
curl --user qtHVNChL_cMhuhUl9ZCvFEuFwlUa:oPWeFHA9fZOupg1ZwjfWODJXueIa -k -d "grant_type=refresh_token&refresh_token=9868904f301b16589f706eef64661da6" -H "Content-Type: application/x-www-form-urlencoded" https://{ip}:{port}/oauth2/token
{"token_type":"bearer","expires_in":3600,"refresh_token":"c928b8255ae52681415ef44a0dfccd7","access_token":"66396cf3f14dfc515a94191178d3d7"}asela#asela:~/is/450/wso2is-4.5.0/bin$
Related
In WSO2 Identity Server, I've a user whose credentials are shared between some people.
When I login using these credentials, everyone else logs out
Is there anyway to change this ?
When you are having JWT access tokens configured, it revokes the previously issued access token and issues a new access token when the same user tries to log in to the same application again. Because WSO2 IS has a constraint that the same user, same application, and same OAuth2 scope combination could have only one active access token.
To mitigate the issue you are facing while trying to login to the same application from different devices, you can configure "Access Token Binding Type" as "SSO Session Based". Then it will allow you to have access tokens per each SSO session on each browser/device.
You can find this configuration under the OAuth/OpenID Connect Configuration section of the service provider. Also, read more from the documentation.
I am trying to build a web application where a user log's in and access protected data in cloud storage bucket (firebase authentication used for login). ACL is set for objects in cloud storage. The user should be able to read only the objects that he has access to.
I want to get Bearer access token for the user, the access token should have his scopes, when I send a REST request with the bearer token, I should be able to read the objects in bucket for which he has access to, if the user don't have access, I should get access denied message. I cant use service account here as I am getting data specific to a user.
How can I do this, suggestions please and Thanks in advance.
For you to be able to use a Bearer token with your application, it will be by using the OAuth 2.0. This is the authentication method used by Cloud Storage to allow access via REST calls to the system. For you to use it, you need to add this below line of code into the headers of every request that you will be doing, that requires authentication - as described in the official documentation here.
Authorization: Bearer <oauth2_token>
This is the way of providing authentication via token in Cloud Storage. In addition to that, for you to generate the token, you can try two different modes.
One it's to use the OAuth 2.0 Playground, where you can specify the API you want the authorization token to.
The other one, as specified here, it's to run the command gcloud auth print-access-token, so you can get an access token for the gcloud default configuration.
Once you have the token and configure the header for your requests with it, you should be good to use it for the requests.
Let me know if the information helped you!
I followed the tutorial https://github.com/jcbsmpsn/gke-rbac-walkthrough to grant a service account access to GKE and it worked but later the service account token expired and I had to renew it. Is there a way to make the token non expiry?
When access token expires, refresh tokens can be used to obtain new access tokens. It is the Authorization Server that will issue a refresh token to the client which is then used to obtain a new access token. This is done at (d) as per this Protocol Flow, basically the refresh token is included with the access token when it is being issued.
This documentation provides more details regarding the process of refreshing an access token.
I have an EC2 instance running a Node.js Express backend that controls CRUD operations to an RDS instance. I am doing a mobile application client (which I am authenticating users through cognito with the client sdk). What would be the best way to authenticate my mobile app users so that only authenticated users can access my Node.js Express functions running in EC2? Basically looking for something like IAM Lambda authentication (but for this server application, rather than a serverless architecture).
What would be the best way to authenticate my mobile app users so that only authenticated users can access my Node.js Express functions running in EC2
Authenticating with Cognito you shoud be able to get an access token (id token and access token) once the user is authenticated.
The token is to be fetched by the mobile client after the user is authenticated, see https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html . This token can be sent along every request to the nodejs services. Please note the token has an expiration time and the client needs to get another one when the token is expired.
The token contains user identity, issuer, expiration time and (Cognito) user groups
The services must validate the token (issuer, expiration, signature) and trust the token (or not) based on the validation.
Validation example: https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification) in this example the public key is read from a certificate. Amazon provides only the public key properties (e,n) https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/, so you will have to complete the public key yourself, example https://github.com/rzcoder/node-rsa
Edit: more detailed clarifications
We have REST based web services hosted on Salesforce.com. We are able to access the web services by using workbench REST explorer but we can't access the web service directly in browser and getting error "INVALID_SESSION_ID". Please provide any pointers to access this service directly in browser. We have Saleforce user id , password and Security Token. We are passing security token in the header to access the service directly in the browser but getting "INVALID_SESSION_ID".
-H "Authorization: Bearer XXXXXXXXXX" where XXXXXXXXX is the security token.
Thanks in advance.
Regards,
Parveen
Actually you need to use oauth Access token in the header rather than security token. So create a app on salesforce and enable oauth on that app. Now you need to get access token for your salesforce account. After that pass this access token in the header (like you are passing security token).
This will work as i have used this.