How to get Anypoint Platform access token? - mule

I need access token of my anypoint platform which is deployed on on-prem servers and have platinum subscription. So, able to access things in Anypoint Platform as well. I mean, it is an Hybrid model. It is working fine with my trial account when i hit the below URL with my trail account creds.
https://anypoint.mulesoft.com:443/accounts/login getting below response
{
"access_token": "9123-4e33-84df-abc124",
"token_type": "bearer",
"redirectUrl": "/home/"
}
but when i try with my client creds getting below response instead of access token in body.
{
"url": "https://verify.salesforce.com/verify/",
"body": {
"request": "eyJhFUzI1NiIsInR5cCI6Imp3dCIsImtpZCI6ImFueXBvaW50X2lhbV9wcm9kLWMyYy02NS0xNjYxNzMxMjI0Mjk5IiwidmVyIjoiMS4wIn0.eyJzdHkiOiJUZW5InRydXN0X3ZlcmlmaWVkX2RldmljZXMiOmZhbHNlLCJlbWFpbCI6IlNUaGlydXBhdGhpQEtDU291dGhlcm4uY29tIiw-E_-N4q4hBBkMq5NQ"
}
}

If the Anypoint Platform organization uses External Identity you can not use the login API because the login actually happens in your company Identity Provider (IdP). Usually the token is needed for automated access to APIs. You have two options:
(not recommended) Get a bearer token from the IdP of your organization. You'll need to reach out to your organization administrator to learn if you are allowed to do that and how. It really depends on the implementation of the IdP.
(recommended) Create a Connected App for the access that you need and then get a bearer token for the connected app.

Related

Getting a JWT from SAP Commerce Cloud 2105

I have installed SAP Commerce Cloud 2105 on my machine locally and I am able to register a user in it and get the access and refresh token for it using a client (the client that I registered using an impex). The token information that I am getting is of the format,
{
"access_token": "h-KvY9G0buec1XskUU4svyA8ntY",
"token_type": "bearer",
"refresh_token": "MZtBODmWe8m0Vzygpui8JDY7D5Q",
"expires_in": 43199,
"scope": "basic openid"
}
Can I configure SAP Commerce to return me a JWT instead of a simple token? I have looked into backoffice and client information but couldn't find a clue.
You have to use an external dependency like java-jwt auth0 and sign the payload with you own private key. Inside your custom JWT you can add your custom claims or the entire OAuth object.

Cannot authenticate to custom API in Azure AD (JWT token issue)

I have a JWT token issue when trying to the use the AadHttpClientFactory within the SharePoint Framework (SPFx). I have a custom AAD App registration that is setup to allow implicit grant flow. I have another app service running a small .netcore API that requires authentication. My API is not setup to authenticate the user, rather it validates the token coming from the Authorization header using the following Azure AD values.
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"Domain": "domain.onmicrosoft.com",
"TenantId": "09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx",
"ClientId": "f46a1554-7fd9-4627-xxxx-xxxxxxxxxxxx",
"ClientSecret": "xxxx-xxxxxxxxxxxx",
"Issuer": "https://login.microsoftonline.com/09e6b9a6-59fc-419d-xxxx-xxxxxxxxxxxx/v2.0"
}
I have my SPFx service setup to fetch the client like this:
this.aadHttpClientFactory.getClient("api://URI").
It then calls my custom service, but no matter what I do I get a 401.
If I use the following URL to fetch a token and use it to hit my service it works fine:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?client_id=<client-id>&response_type=id_token&redirect_uri=https://localhost:5001&scope=openid&response_mode=fragment&state=12345&nonce=678910
So, I inspected both JWT tokens (one coming back from SPFX and one I generate using the URL above).
They are vastly different. The token I get back from SPFx has much more information in it and the Issuer is https://sts.windows.net/<tenant-id> but my API is looking for https://login.microsoftonline.com/<tenant-id>/v2.0 as the issuer. I feel that the issuer is where it is failing but I have tried updating my API to use the issuer that is coming back from SPFx and it still doesn't work.
Any ideas?
Found this post that said the audience was invalid. I was able to find the same error inside my response. I updated my client ID to match my api URI of api:// and it worked.
Azure AAD - The audience is invalid

Standard Implementation in Getting Access Token and Basic User Information via Resource Owner Password grant with OpenID Connect

I want to authenticate a user's user name and password, and upon success, I want to use the token to get basic user information.
The grant type is Resource Owner Password grant with OpenID Connect.
However, there is a difference in how this is implemented in various identity providers. For example, OneLogin requires two requests to get the basic user information. While, Azure AD B2C and IdentityServer4 require one request.
Which implementation is the stardard of OpenID Connect? If OneLogin is used for my project, what best practices are available for platform portability?
OneLogin:
First Request:
Getting Token
Url: https://openid-connect.onelogin.com/oidc/token
Ref: https://developers.onelogin.com/openid-connect/api/password-grant
Result:
{
"access_token": "example",
"expires_in": 2313232,
"token_type": "Bearer",
"refresh_token": "example"
}
Second Request:
Getting User Info
URL: https://openid-connect.onelogin.com/oidc/me
Ref: https://developers.onelogin.com/openid-connect/api/user-info
Result:
{
"sub": "123",
"email": "my#lmail.com",
"preferred_username": "my#email.com",
"name": "My Name",
"updated_at": "2019-03-13T16:11:15Z",
"given_name": "My",
"family_name": "Name"
}
This is partially down to the "open" definition in OAuth2 around the token definition. In Azure AD, the Access token is a JWT which provides basic user information. Get an access token ( via whichever grant type ) and you have basic user info. In Onelogin ( and other IdPs such as Salesforce ) the access token is just an opaque token that contains no discernable data. It's a token to access resources.
So there's no standard here, but if you're looking for consistency you should assume the access token from any IdP does not contain user information. Either initiate a grant that returns an OIDC token or use the access token to request and API endpoint that returns user information. Note, the Resource Owner Password Grant should with an openid scope should return an id_token which includes your basic user information.
This ( new tool ) should help clarify as well
https://youtu.be/do0agd71hE8
I would suggest sending the Identity Token to the resource server usually your api server( it take it you in you intend to secure this ?. As the Identity Token is a JWT this can be validated locally on every call on your resource server/api server. You can use the opaque bearer token initially to obtain info from the userinfo_endpoint about the user. Since the bearer token is opaque there is little point passing this to your api / resource server since you have no means of validating it.
There is a big discussion IdToken vs AccessToken sent to Resource Server
It is not normal to send the id token to the resource server, but since the bearer token is opaque and can not be validated locally you have little choice

Azure AD: limit consumer's access to particular Web APIs

I am using Microsoft Azure. I have published several Web APIs. Each has Authentication / Authorization turned on, with Azure Active Directory (AAD) as the sole provider. We have a single AAD tenant.
The consumers will be partner companies' applications. For each consumer I have created an App Registration in AAD. Using that App Registration's Application ID and Key I can successfully get a token and call the Web APIs (tested through Postman).
My problem is that every consumer credential can access every API. I want to restrict a consumer's access to specific APIs only. For example, consumer A can access API P and Q; consumer B can access API Q and R. There is some overlap, and some uniqueness. I have been trough the online docs. They mention very little about this service-to-servie scenario. I can find no example code matching my scenario. How do I enforce consumer to API mapping in an AAD single tenant?
In service-to-servie scenario , the simplest way is writing your own validation logic on web api side .
After getting the access token on web api side , checking the client id(appid claim) in access token , if that client is not allowed to access the web api , denied it and return the error response .
Another way is checking the application roles :
in your web api app , setting the application roles in Manifest like :
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "tester",
"id": "9f29f99b-5c77-4fba-a310-4a5c0572e8ff",
"isEnabled": true,
"description": "read client app",
"value": "tester"
}
]
In you client app registered in Azure Portal, grant related application permission in Required permissions blade . Don't forget to do admin consent by clicking Grant Permissions button(login with admin's account) after adding application permissions .
In your code of web api , check access using the IsInRole() or the [Authorize] attribute after configuring the roles claim type in Startup file .
You could refer to this document which explains and shows the detail steps . Please refer to Configuring client application to request application roles of resource API section .

MobileFirst 7.1 OAuth Token Request

I am trying to use MobileFirst Server as a OAuth Server. The knowledge center provide detail step on how any external application can validate the token sent by Mobile client via MobileFirst Token validator end point. But not able to find proper documentation for request a new authorization token from mobile client from MFP Server.
In development environment we have a testtoken endpoint.
http://localhost:10080/OAuthExternalServer/authorization/v1/testtoken
{ "Authorization": "Bearer eyJqcG ......... }
How to get similar token from MFP production server on mobile client.
MFP Version: Server version: 7.1.0.00.20170330-0917
Thanks
With the OAuth security model, MFP server is your OAuth token provider. Upon completing the challenge server gives you an OAuth token. You need not do anything special in the ChallengeHandler for OAuth token. Refer to the samples here: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.1‌​/authentication-security/
If you are looking to use OAUTH for authenticating an external resource , refer the steps here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/using-mobilefirst-server-authenticate-external-resources/
Here is an example token validator which uses introspectionData to validate https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/jtv/
Basically Introspection Endpoint can be invoked to validate the token provided by MFP server
General OAuth flow with 7.1 for a default flow can be referred here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/authentication-concepts/oauth-based-security-model/ .