I am working on a api management project, i would like to know if there is a way to create and update security certifications automaticlly ?
thank you all
You could use the publisher rest APIs to upload certificates related to the backend endpoints. Check https://apim.docs.wso2.com/en/latest/reference/product-apis/publisher-apis/publisher-v2/publisher-v2/#tag/Client-Certificates .
Related
I am pretty new to Authorization/Authentication with openid connect. I guess I lack some basic understanding on how to set up a proper backend infrastructure.
There's a keycloak server running through which I want to authorize/authenticate my customers.
The user logs in by his company credentials and then should be authorized/authenticated against our backend service, which provides a REST-API.
So our part is to implement the backend service and use openid connect as authorization/authentication.
Could you tell me what components/software needs to be implemented on our side?
Often the Authorization Server is an external cloud system that your UIs and APIs just point to, with URLs equivalent to this:
https://api.mycompany.com/myapi
https://web.mycompany.app/myapp
https://login.mycompany.com
Not sure if this quite matches your setup but typically you provide some or all of these domains:
API
Web Hosting
Authorization Server (Keycloak)
My personal preference is to use Local Developer PC Domains to match the above. If it helps you might just be able to repoint my Open Id Connect
Code Sample to your infra once configured, in order to verify that it works.
I have an application that has a couple of features that I would like third parties business to avail of. for example the user information gets passed to us and we run ID checks and send back a token with information.
I think I can use a third party API management service like 3scale but what do I have to do on my end to 'expose' this API?
Thanks!
With AWS API Gateway, you can setup a simple http proxy to your application. Based on your needs, you can use features like auth, throttling, API keys management, client certificates etc.
Here is a blog explaining some of this.
Hope this helps, Ritisha.
As mentioned by Ritisha, API Gateway definitely can work, but it is sort of lock it.
I would recommend checking https://tyk.io/, which is an open source Gateway with commercial options. And for example it provides you Cloud version, where you do not need to expose any ports on your side at all. You just configure your API in dashboard and can just bind your CNAME record to the proxied API. This should work really well to try it out. And if you grow up this options, you can host it on your own, or use Hybrid environment, when all user requests come to your own server (no 3-rd parties), but on the other hand, have nice configuration dashboard in the cloud.
Hope it helps!
I am writing some Java REST APIs which will be invoked from Web Hook configured through JIRA administration console. But, I do not see any way to add authentication header while configuring web hook in JIRA.
Without header, there is security concern in the sense that any one can invoke my Java REST APIs.
Could someone please suggest here how to add custom headers in web hook with possibly some example. I have already gone through Atlassian develper documentations but do not find any solution over there.
Adding a username and password to the Jira Cloud webhook URL e.g.
http://user:password#mycallbackurl.com
is ignored by Jira Cloud unfortunately. It seems that other Atlassian products do provide the ability to set a header / provide username and password for basic authentication.
Also see:
https://jira.atlassian.com/browse/JRA-31953
https://answers.atlassian.com/questions/12270170/where-does-the-webhook-arrive-from.
You basically have two options:
You can add an API key or some kind of secret to the webhook URL. The disadvantage is that the secret could show up in your web server logs.
Don't trust the webhook POST body (JSON) and pull the information from the API.
Adding the Atlassian server IPS to a white list would also make sense:
https://confluence.atlassian.com/cloud/database-and-ip-information-744721662.html#DatabaseandIPinformation-IPAddressrange.
Although it doesn't completely eliminate attack vectors since attacks can also come from another Jira cloud environment.
There is no support to add extra header in JIRA webhook configuration. So, authentication header can not be added in webhook configuration.
To do the authentication, one way is
1) Retrieve User information from incoming JSON
2) Make JIRA REST API call to check user's authenticity
3) Deny or allow further processing based on result
I want to securely link Azure Api Management (APIM) with a Azure API App. How to give the certificate to APIM is well documented however I cannot find a description of how to provide a certificate to the API App. I know how to do it to a regular API (azurewebsite) with the portal but can you upload a certificate to an API App and and use mutual certificate authentication with an API App?
Azure API Gateway to the backend API can be secured using certificates. Once the backend API is configured for certificate based authentication, you can configure the respective API in the API portal. In the Design blade of the respective API in API managment portal, select client certificate option to configure. You can view the details steps in the Azure documentation https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
I don't have a solution for this but a workaround that might be interesting for you. I made a webcast.
I'm evaluating WSO2 Identity Server and WSO2 API Manager.
I registered an API and an application on API Manager. I can call the resources successfully.
I could also add an user into Identity Server and log into that using oAuth authentication.
But, it's not too clear how I can use those two systems together. I would like to use API Manager to expose my API's to some applications. And, I would like to use Identity Server to log the final user. Is that possible? How can I "plug" those two systems?
I am not sure if that's the best way to do that, so, please, advice me.
Thanks
According to my understanding of your use case is you need to expose the API's securely. So you need to used WSO2 Identity Server and WSO2 API Manger. In addition to that you need the best approach for above use case.
With above two product we have below two option.
Configuring WSO2 Identity Server as the Key Manager in WSO2 API
Manager (This link gives a different version combination of both products)
Here we need to add key manger feature to the WSO2 IS.
Configuring the Pre-Packaged Identity Server 5.0.0 with API Manager
1.9.0
In here 1st option have manual configurations. But,2nd option minimized the manual configuration.
The purpose of using the Identity Server is not too clear. Is it to separate the authentication/authorization from the API Manager instance?
By default API Manager is shipped with a Key Management Server component that is responsible for all security and key related operations.This can be configured to authenticate users against a defined user store or multiple user stores. Authorization is based on oAuth 2.0. However, in a production deployment, we recommend that this component is deployed as a separate server instance so that it runs as an external Key Management Server.
This is done by simply using another copy of the API Manager distribution and configuring it as a Key Manager server node.
Hope this helps.
Regards,
Gillian
My understanding is,
if you wanted to use WSO2 API manager (AM) as an API gateway, you don't need a separate IS as AM included an IS engine with security mechanism included such as key manager.
If you need single sign on across all AM components, and you do NOT have other identity provider (IdP), you need a aeparate IS
However, if you do have a separate IdP, you don't need to install an IS server to implement SSO for AM, although the documentation from IS may suggest you do so. For example, a successful SSO implementation has been done with PingFederate/PingIdentity. See How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?