While I see most of the service providers call webhooks with HMAC signature, the same service providers don't have HMAC supported in their own API. In fact, their API can be called just by passing the API secret in headers. For example, Stripe only accepts API secret in their API whereas Stripe calls webhooks with HMAC signature. Why Stripe does not support passing HMAC signature too while calling their APIs as it is done in their webhooks?
Related
We're going to expose a custom built API (.NET) through Azure API Management. We want to conform to well-known standards where ever possible, so we don't surprise our API consumers. The API is secured through an API key which users generate from APIM's Developer Portal.
My understanding is that the Authorization header should be used for authentication and authorization purposes.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
But strangely, API-Key is not included as an authentication scheme.
https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes
Should API consumers use an authorization header to authenticate?
E.g. Authorization: API-Key xxx-xxx
Or a custom header.
E.g. my-key:xxx-xxx
Technically, you shouldn't need any API-key if you have a token in the authorization header. I assume API-key/client and secret key are already used to generate a token. When the client sends token via an authorization header, the API owner validates your token and returns a response.
I would like to design a micro-services architecture with IBM connect where the outside clients need to pass a Bearer access token in an Authorization header (OAuth 2) and the gateway will pass a stored JWT (generated and stored during authorize call) with the authorized user's claims to the internal APIs.
Is there such a built-in configuration?
(For reference, WSO2 provides this exact behavior: https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT)
There is not such built in feature in IBM API Connect.
A possible implementation for the scenario that you mention, in IBM API Connect, could be:
An OAuth Provider API that contains the authorization and token endpoints of an OAuth flow (IBM API Connect has a built-in OAuth server) Implement an OAuth API Provider
The API that acts as a proxy of the backend microservice, secured by the OAuth provider API created before (so that way, access tokens are required to send requests to this API). In this API, implement a jwt-generate policy (which is a built-in policy in IBM API Connect) to generate JWT tokens. jwt-generate built-in policy
In this implementation you can add custom information to the access tokens generated by the OAuth provider API (such as the logged in user in the application, device id....), and use those values as claims when generating the JWT (oauth.resource-owner, client-id of the consumer application sending the requests....)
we plan to introduce an API management solution and we're currently setting up a proof of concept with WSO2 AM. We want to use the WSO2 API gateway to check whether a certain consumer application is allowed to use an API and to throttle the request rate.
I work on the identity workflow and I wonder how a consuming application can pass a JWT token to the backend service with WSO2-AM in between.
First, this is our current scenario:
Without API gateway
The consuming application gets a JWT token for its carbon user from an identity provider. The JWT contains some claims about the user, e.g. the roles he/she belongs to.
The app calls the service an passes the JWT token in the Authorization HTTP header like: Authorization: Bearer
The service validates the issuer and signature of the JWT and retrieves the claims from it.
So, this is pretty straight forward. Now we put an API gateway in between the application and the service:
With API gateway
The consuming application gets a JWT token for its carbon user from an identity provider.
The consuming application uses OAuth2 to get an access token for the following API calls. We can use the client_credentials grant type and simply pass the the client id and client secret. I haven't yet tried it, but we could possibly use the JWT grant type (see https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type) and use the JWT for passing user information to the API gateway.
The API gateway validates the JWT against the public key of the identity provider when using the JWT grant type.
An access token is returned to the app.
The app sends an API request to the gateway and passes the access token in the Authorization HTTP header.
The gateway validates the access token.
The gateway forwards the API request to the service.
And there is my problem: How can the JWT from 1/2. be passed to the service?
There is a documentation for "Passing Enduser Attributes to the Backend Using JWT" (see https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT), but this would introduce a new JWT, issued and signed by WSO2-AM, and I'm not sure, whether this JWT contains all information from the JWT used to create the access token (or even the original JWT).
Another way I could think of is using a custom HTTP header for passing the JWT through the gateway to the service. I cannot use the Authorization header (as we do without the API gateway), because WSO2-AM expects the access token in that header.
Since I'm not happy with either solutions, I want to ask the experts: How would you solve this?
Thanks,
Torsten
The only possibility I can think of is to send the JWT token in a custom Header for the backend service.
I am new to wso2 api, I have created api using api publisher,I am generated api client_id and client_secrete,It works fine fine wso2 api rest client,my question is How to call rest service using restful client?(to use wso2 client_id and client_secret)
Thanks,
Ram
Generally we don't use client_id and client_secret for calling REST APIs. Those are used to generate an OAuth token to invoke REST APIs. What you have to do is get the generated OAuth token in API Store and invoke the API. For that you need to set "Authorization" header in your HTTP request as below.
"Authorization" : "Bearer Generated_OAuth_Token"
This is just a basic OAuth scenario. I strongly recommend you to research more on OAuth protocol.
Currently we have a REST API and a client, where the client authenticates the user once through HTTPS and receives an access-token. Then for each request that requires authentication, the client creates an HMAC from the request body with the URL and query string and a shared secret between the server and client. Is there any need for me to take this further and implement OAuth between my own client - API?
You appear to be performing authentication in an OAuth(v1.0a) like way already. However I would recommend you include a timestamp and a nonce in your HMAC creation and check these in your API to prevent replay attacks.