Does anyone know how to add HMAC based authentication for WSO2 API Manager?
Background - We're rolling out WSO2 API Manager 1.3 in front of our publicly available web services and we need JavaScript applications (once authenticated) to be able to consume the services directly (not via a service proxy on their server to handle the OAuth authentication).
Does anyone know the easiest way to get this implemented in WSO2? We've started implementing an AbstractHandler and Authenticator but this seems overkill - someone must have done this or have some pointers on this?
Thank you very much in advance.
You can write your own handler which can implement the AbstractHandler.
Signature verification can be implemented as an API handler similar to the 'APIAuthenticationHandler'. The access token that was provided earlier can be used as the Mac Identifier. The consumer secret can be used as the Mac key, which is a shared secret between the consumer and the provider used to sign the normalized request string.
I do not know if this will help you but we needed our password hashes to be in PBKDF2. So I extended the JDBCUserStoreManager overriding only the preparePassword method. Inside it changed from MessageDigest to SecretKeyFactory for the PBKDF2WithHmacSHA1 algorithm. You can use Mac i guess?
This is possible by implementing a custom mediator and engaging it to the in-flow sequence. The API exposed by API Manager would be OAuth protected, but the actual backend would be HMAC protected. You can find more information on this in the article [1].
[1] https://wso2.com/library/article/2017/10/integrating-wso2-api-manager-with-a-hmac-secured-backend/
Related
I am trying to set up a custom client authenticator in WSO2 Identity Server, I would like to retrieve an access token with client_credentials specifying a specific scope and have a jwt token returned with custom claims inserted. I've tried writing my own Client Authenticator but I'm having some trouble getting the OSGi bundle to pick up correctly during WSO2 startup and all other attempts at customizing the auth flow have failed.
Is there anyone who would be able to point me in the right direction as to where I might find useful information on how to achieve what I'm trying to achieve? TIA.
Using WSO2 Identity Server, you are able to extend the client authentication implementation. You can write your own client authentication mechanism following a specification or any other standard.
Please follow the below doc link to create the custom client Authenticator:
https://is.docs.wso2.com/en/latest/learn/writing-a-new-oauth-client-authenticator/
Is there a way to "intercept" login or registration event in WSO2 Identity Server?
I know that wso2is architecture is quite complex, also there are some extension points, but I didn't find any information regarding how intercept those events.
I'd like to replicate something available in Gigya that allows to configure an API endpoint to call when one of those events happen (passing some information regarding the user)
Thanks
You can write a userstore listener to get this done. More details are available on wso2 official documentation.
https://docs.wso2.com/display/IS530/User+Store+Listeners
Can we implement a secured API in WSO2 ESB and can we provide an existing user's credential, (as a header) who is in ESB's use store, to access it?
This scenario can be done in ESB Proxy: Guide by providing a policy file. Can't we do the same in API too, if not what is the reason behind that?
If you are going to secure the APIs using Oauth2 you can use Oauth mediator but if you looking to use basic auth you need to write a class mediator(Here is an old article,you can get brief idea on implementing basic auth class mediator even though details are outdated )
We are currently evaluating the WSO2 API Manager (v1.6.0) to Front our internal APIs so they can be securely exposed to thirdparty developers and partners. Our internal APIs have implemented an HMAC-SHA1 based custom authorization scheme similar to AWS, where clients construct a HMAC-SHA1 hash string using the request url, the current timestamp and a secret key assigned to that client.
I would like to configure/customize the API Manager to employ this custom scheme when routing requests to our service endpoint. This way the API Manager operates as just another client to our internal API. What is the best way to achieve this? Currently the API Manager only supports Basic Auth (When I select "Secured" in the "Endpoint Security Scheme" drop-down when setting up my API). How do I update the API Manager so it:
Supports my custom scheme - constructs the Authorization Header using our custom scheme when calling our service endpoint
Maintains the secret key used for generating the about header within it's configuration/data store
Although this is a very very old question, I'm answering so it can be useful to someone, someday.
You can do this by either writing a custom handler or custom sequence. What you have to do is,
1) Send the token in a custom header.
2) Copy that token to Authorization header by a custom handler/sequence.
I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.