We are working on developing an integration in Node JS where we are planning so consume SOAP web services. this is going to run in Multi tenant mode means different customer can connect.
What we realized is that we need to have value of domain and tenant to connect. I was wondering if there is any way we can discover tenant under the hood so that customer doesn't needs to do hardwork to find this.
Is there any way we can just take username and password from user and do the discovery of domain ourselves?
Related
I'm new to microservice architecture. I was reading about it and start to be interested in developing website using the architecture. I've used Lumen micro framework.
What I am going to ask you has been browsed on the internet and I couldn't find the way. So, I finally reached out to stackoverflow. Below is the overview of my current implementation.
Up until this point, I am able to request user, patient, treatment, etc.. data from the api gateway and get the response data properly.
When client requests user data like name, department, client requests this route, http://localhost:8000/users/1, (port 8000 is for api gateway and 8001 for user service, let's say) and gateway goes to 8001 and grab the user data.
I've also enabled the authorization between api gateway and individual services in order to prevent separately perform CRUD operatons to the individual services - when request goes from gateway to service, I have put the pregenerated token (which is also predefined in the service) in the header and when it reaches the service, the service validates if the token is equal by comparing its predefined one. So, it's working.
But to be able to request from api gateway to services, I've used client credentials grant type. So, here is my question.
How can I implement the login and register? Does client credentials
grant type enable to do so? If not, what is the appropriate one? What
is the right way to implement the system? Could you please kindly explain in
advance? Thank you so much.
Updated
In conclusion, I want to know how to configure authentication between front-end and api gateway.
Your API architecture looks good - nothing there needs to change. However there are 3 parts to the architecture:
APIs (done)
UIs (to do)
Authorization Server (maybe use a free cloud one?)
As a next step maybe focus on login. My tutorial will help you to understand the interaction and what needs to be coded in UIs. Or if you prefer just view the message workflow.
Registering users can be a more complex topic and depends on the type of system. Happy to answer follow up questions if it helps.
We implemented an application which is onboarded in the C8Y server : DM (Device Management) application.
The end user connects to the tenant-related C8Y server and selects the DM application.
The DM application consists of two parts :
Front end (html, javascript)
Back end (Java-spring boot which exposes a rest api). The back end communicates with our custom IoT product.
the backend of our DM application is today located in MZ but can be hosted in DMZ.
Issue description :
The front end (javascript) of the DM application cannot communicate with the backend part of the DM application as the client security requirements :
Does not allow us to set up a http proxy in the DMZ.
Does not allow us to hard code the rest api user (and pwd) in the javascript
Solution (My suggestion) :
When the end user logs in into the C8Y server, We think C8Y server validates the user which is stored in a C8Y database.
We suggests to use the same user credentials(authentication) - which has been used to login in the C8Y portal - to access this rest api.
Then, the back end of the DM application needs to validate this rest api user, by this way the DM application can also validate the user by a single login for the whole C8Y application.
To implement this solution:
We need :
to get the username/password in the frontend.
Or we need the authenticated token in the frontend if any.
We need to know the API that C8Y uses to validate the user from the backend.
Need support to register this as an micro-service where authentication is taken care by C8Y.
Questions:
What do you think about the suggestion to solve the issue?
And also there is one micro-service already registered to the account, so how can we add another micro-service.
In case if there is no support for multiple micro-services, kindly suggest us an work around to let this DM application run as a second micro-service as this is very critical and an blocker issue for our customer.
please check this (new) documenation: http://www.cumulocity.com/guides/concepts/applications/ . I hope that should answer some of your questions.
In detail:
Yes, you can register multiple microservices.
Authentication is handled automatically by Cumulocity, i.e. requests send /service/yourMS are authenticated by Cumulocity and then forwarded to the microservice.
BR, Stefan
I have two different client apps written in javascript connecting to two different web api. I am trying to implement identity server 3.
Is it possible to have identity server behind my web api owin
authentication api end point. In other words, is it possible to
route /token endpoint from owin in web api to call /authenticate
endpoint in identity server?
Is it possible to audit log to db in identity server including
failed request along with user's ip and browser agent. Also is it
possible to log user's ip even if i am calling from web api as my
web api is being called by a user using browser?
In my case should i keep two different user base for two different
projects or move all my users to identityserver. If i move all the
user info to identityserver, how am i going to handle all the joins
with other tables in different applications or should i keep a copy
of user with minimum info such as id, email and name?
It makes little sense to first call a web api and deal with authentication during that call.
Your client apps should first redirect the browser to IdentityServer where user would log in and be redirected back to your client app along with either access token (implicit flow) or authorization code (AuthorizationCode flow), depending on the client app having a back-end or not. Then, your client app would make requests to the webapi, passing the access token in the Authorization header.
As for different user bases, one approach might be to implement specific IUserService for each user base and either send a hint about which one to use in the acr_values or tie it to specific clients registered in IdentityService. Again, depending on the requirements.
Is it possible to have identity server behind my web api owin authentication api end point. In other words, is it possible to route /token endpoint from owin in web api to call /authenticate endpoint in identity server?
Yes and no - you cannot reroute those requests, but you can host identityserver in the same application as a web api. In Startup.cs, map a folder to identityserver.
It's not a good idea to do this, first of all, which api of the two will host idsrv? What if that api goes down and takes idsrv with, then the other api does not work anymore.
-> host idsrv separately, make both apis and both javascript apps clients in idsrv, login to idsrv from the javascript apps (=SSO) and use bearer tokens for the api
Is it possible to audit log to db in identity server including failed request along with user's ip and browser agent. Also is it possible to log user's ip even if i am calling from web api as my web api is being called by a user using browser?
Yes, this should be possible, check the logging implementation for idsrv, at the least you should be able to plug in a provider that writes to a database.
In my case should i keep two different user base for two different projects or move all my users to identityserver. If i move all the user info to identityserver, how am i going to handle all the joins with other tables in different applications or should i keep a copy of user with minimum info such as id, email and name?
Idsrv does not need to have all the user info, just an email-address is enough, you can use that as link to the user data in your api databases if you use that as unique identifier.
I'm new to web services and am creating HTTP services using .NET Web API 2.
The consumers of the services will be other applications, but in the future I foresee web applications (browsers, mobile apps) using them. The services simply serve data to the consumers (no create/update/delete).
All applications, including the API, are located on our enterprise intranet. Nothing outward facing.
I was told to use Integrated Windows Authentication for the services. Can an API key also be used on the same services to authenticate the application that is making the calls?
I'm not even sure doing this makes sense. Can the consuming application (i.e executable run on a server) send account info? My thought is that Windows Authentication isn't necessary and token authentication will suffice. Others have told me to use both. I'm not sure that's possible and haven't found anything showing me it is.
An API key is a parameter passed to the service interface, so it can be passed with any type of auth on the backend.
But usually, and api key is used to determine whether a user is allowed to use a specific API. For example, if only a subset of users that have windows accounts are allowed to use the api, then maybe that might make sense, because, even if they could authenticate with their windows account, they could still be determined to be unauthorized by the fact that they did not pass a valid auth key.
That said, you could also do the same things with some kind of policy, for example, checking if the user has the correct role to call the api method. It makes more sense when you are giving people access to an api through the internet.
all. I wonder if I can get the tenant ID except for carbonContext API. I see this set of API can get anything from the server, but it is too powerful to be exposed the the developers. An evil dev-er can easily get the whole osgi services. He can even modify other users's registry by just setting the tenantID to others. So is there any method I can use, to get the tenant ID of an app?
Normally tenant ID is an internal detail and it is not exposed via web services. AFAIK Only available way is the CarbonContext API. Actually you can enable java security manager and restrict the access to OSGI service. I guess WSO2 has done it in their live deployment where we can not access CarbonContext, user realm and other service using a web app. But i agree that there must be a way to get tenant information about the deployed tenant. (basically tenant domain , not tenant id).