Recently we split a big monolithic enterprise application in a bunch of microservices in CloudFoundry. Just one of them is on the apigee proxy and communicates with a service exposed externally. Now i have a requirement to invoke the service using curl command with Autosys. How do i call the mtls enabled apigee microservice with Curl command?
In postman, i will pass key & secret and get the bearer token and then call the microservice, then it works fine. Everytime, the bearer token will change atleast for few hours. How do i deal this level of authentication with curl command? Any advise on this use case of calling mTLS enabled apigee hosted microservice from curl command?
Related
I have ASP.NET Core RESTful APIs and protect them with JWT token issued from Azure Active Directory. Any client who wants to call the endpoints should first acquire a valid JWT token from the AAD and send that as a Bearer token. My API internally should call an external API (internal to the organisation) to query some information and return it to the user. The external API requires mTLS as its security protocol.
My questions
Can I still have my Bearer authentication scheme against my APIs and at the same time have mTLS enabled in my API so it can communicate with the third API?
From my understanding, in TLS which mTLS is an extension of it, the client should verify the server's certificate. Does that mean, with every incoming request I should check if it's presenting the certificate? If so, then what would happen to the Bearer authentication scheme then?
In my head, I was hoping that I can just append the certificate to the requests against the third-party API and that should be it but based on question number 2 I seem to be wrong about it.
I'm a bit lost here and appreciate any advice on this.
I am sending a JWT token in api header. I designed this to pass through GCP api gateway and hit cloudrun service. But when passing through api gateway, the whole JWT token changes every time. There is no effect when I call the cloudrun directly without an api gateway. Any ideas about this?
You have several use cases
If you consider that your Cloud Run requires an authentication, but the access to API Gateway doesn't, the API Gateway is able to generate an identity token, based on the service account in its configuration, and add it to the request forwarded to Cloud Run
If you consider that your Cloud Run requires an authentication and you want to use API Gateway as authentication proxy (for instance, all the users that request the API gateway must be authorized by API gateway (by API key, by FirebaseAuth, by JWT token,...), but the users aren't directly granted on the Cloud RUn service, API Gateway is able to generate an identity token, based on the service account in its configuration, and add it to the request forwarded to Cloud Run
If you consider that your Cloud Run requires an authentication and API Gateway is simply a passthrough to centralise the APIs definition, you can set in your x-google-backend definition, the parameter disable_auth to true. That time, API Gateway won't generate an identity token and won't add it in the forwarded request. The identity token received in entry is forwarded to Cloud RUn (it must be a valid token for Cloud Run)
Note: when API Gateway generate an identity token, the initial authorization token is forwarded in a new header: X-Apigateway-Api-Userinfo
I am using Keycloak to authenticate a Vue app that is running on Docker. Currently, my configuration includes using grant_type=password along with client-id and client-secret to authenticate a client.
Because I want to make client-secret configurable, what is the best way to use keycloak client-secret in docker-compose.
I currently have the following architecture
APP -> API -> KeyCloak
I want the APP to be able to send requests to my API which will then internally proxy certain requests to KeyCloak. For example, I'd like to make a request to the /userinfo endpoint in KeyCloak through my API. If I can figure this out I can then perform more complex features.
APP -> http://api:port/api/userinfo
API -> http://keycloak:port/auth/realms/quartech/protocol/openid-connect/userinfo
I have a valid JWT Bearer token. As I can directly make the request to KeyCloak successfully, however if I attempt to make the request via my API it returns 401. Even though it is using the same JWT Bearer token.
I believe it has something to do with configuring the KeyCloak client to allow requests to come from the API. But so far I haven't been able to figure it out.
I've discovered it required a DNS entry to local development within a Docker container.
I've edited the hosts file and added a 127.0.0.1 keycloak and then al
I'm developing a solution that has: an Authorization Server (AS), a Resource Server and two clients. The two clients are: a web app with Angular 2 and a mobile app with Angular 2 + Ionic 2. I have started to develop the Authorization Server following this sample https://github.com/Baeldung/spring-security-oauth
For both the clients, I have decided to use the "Password Code Grant" because the client are trusted by the AS.
But now I have a problem storing the "client secret code" on the apps. Because the API (.../oauth/token) is secured by Basic Authentication so every time that I ask a token to the AS I need to send something like that:
curl.exe -v -u client_id:client_secret http://localhost:8080/backend/oauth/token -d grant_type=password -d client_id=client_id -d username=admin -d password=admin
So, the questions are:
Where I can store safely the client secret code on the apps?
Is it safe to remove the Basic Authentication from the oauth API?
Have I use another code grant type?
Thank you,
Paolo
Applications running in a browser (Angular) are not able to keep their secrets safe, so I would choose the OAuth2 Implicit flow. The implicit flow requires the use of HTTPS for communication with your Authorization Server, since the tokens are transferred over the network.
You should not remove the authentication from the token endpoint - it would compromise other flow types. For example the authorization grant flow doesn't require the client to be served by HTTPS and the auth code can be visible to anyone, so the token endpoint secret is important there (the Resource Server must ask for the tokens using HTTPS).
Using the implicit flow, you will have to check the validity time of the access token and request a new one before the current one expires. For example using the prompt=none auth request parameter.