Background of the issue:
The project has microservice architecture and using APISIX as API gateway.
APISIX jwt-auth plugin is used for user authentication from gateway side. Recently we stared using google identity platform for user management and authentication so the jwt tokens will be created by google and we need to verify the token using their public keys published in the url.
As per the google documentation we need to refresh the public key after certain amount of time.
When coming to the apisix part there is no option for refreshing the public key dynamically also there is no option to save multiple public keys in jwt-auth plugin.
Please let me know how we can achieve this scenario.
Related
I tried searching in various places, googling about how I can create and authenticate an SDK which I can use as a starting point. Here is what I am trying to achieve.
My Application:
I am creating a saas similar to firebase, supabase etc., where a user signs up on my application and adds some data, say a todo list.
Now, I would have to provide a client SDK(javascript) and server SDK(python, nodejs). Using this the customer should be able to add the SDK to his own application (Customer Application) and be able to access the data that My Application provides.
To do this, when the SDK is used in the Customer Application, I need to authenticate and get the user details, roles and provide the data from My Application. How can I do this?
I have seen that there is some kind of Client key and Server key generated in My Application. These keys can be used by the customer in his application and initialize the sdk using the Client key.
What kind of auth mechanism is this
How is the Client key and Server key generated securely
Any link/pointers to resources will be very helpful.
We use JWT based auth that encode certain Postgres user roles. You can find more information on it here: https://supabase.com/docs/guides/api#api-security
My users are logging in using custom authentication system on my website, which is returning JWT signed by my company's private key.
I'm trying to enable users to login to Firebase as described in Authenticate with Firebase in JavaScript Using a Custom Authentication System.
If I understand correctly by reading the instruction I'm supposed to:
create service account in Firebase
download its private key
copy the private key to my authentication server
sign JWTs using this key
However, I need to stick to using my company's key to sign JWT.
Is it possible? If so, how can I provide my company's public key to Firebase for it to be able to decode my JWT? Or is my understanding about the flow wrong?
There is no way to specify what key Firebase should use for decoding the JWT. The requirement also doesn't make sense, since you're interacting with Firebase's backend services. If you interact with multiple backend systems, you'll need to mint a separate token for each.
I need a help. I have a project in google api, but i don't know how to open access in google spreadsheet for a project. So which gmail i need to open access?
Thanks!
You may refer with this documentation.
Every request your application sends to the Google Sheets API needs to identify your application to Google. There are two ways to identify your application: using an OAuth 2.0 token (which also authorizes the request) and/or using the application's API key. Here's how to determine which of those options to use:
If the request requires authorization (such as a request for an individual's private data), then the application must provide an [OAuth 2.0 token with the request. The application may also provide the API key, but it doesn't have to.
If the request doesn't require authorization (such as a request for public data), then the application must provide either the API key or an OAuth 2.0 token, or both—whatever option is most convenient for you.
Here are some examples and quickstart.
I am developing a REST based application using Web Api 2. On the project, I elected to use the individual user accounts option when I created my project. On the frontend, I am using a combination of angularjs and ios interfaces to interact with web api. I would like a user to enter their credentials and upon successful authentication, receive a jwt token(SSL) that they can use as long as the ticket hasn't expired. I read an article outlining how to create a custom storage provider, which I need as my user schema is different from asp.net identity.
What is the recommended approach to this scenario?
Can someone provide an example of how to setup .net individual accounts for authenticating users trying to access web api action methods? As stated above, the user interface is angularjs.
I am working on a cloud based application, I am assigned the work to implement Salesforce API in my application. I am done with all the authentication process and I am even able to push the leads in api.
But the problem is that I can only authorize my developer account thru it, the account from which I have taken consumer key and secret.
You need to create an package with your remote access settings (aka key & secret) and install it into the other org(s).