I defined a client in keycloak admin console to authorize it with client_credentials flow to call server-to-server api in my application. Everything is fine, i want to apply IP restriction for that client.
Where can i define this restriction in admin console? i didn't find such configuration in keycloak documentation.
There is no such settings out of the box, but you could try to implement custom client authenticator. So for example allowed IP Addr could be stored in client attributes, and your authenticator implementation will challenge incoming request against specified IP addr. See "Server Development" section in Keycloak documentation. Also you can refer to keycloak github repo for implementation examples and guides. Start from
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/ClientIdAndSecretAuthenticator.java
Related
Should be a simple matter of registering the app in the IBM Cloud and providing callback URIs for authenticating the user and returning control just like login with google or login with Amazon.
But I cannot seem to find the exact flow of steps involved.
--prasanna
I think the service you are looking for is App ID.
When you are developing a web application, you can use the App ID web flow to securely authenticate users. Users are then able to access your server-side protected content in your web apps.
App ID uses the OIDC authorization code flow to securely authenticate users. With this flow, when the user is authenticated, the app receives an authorization code. The code is then exchanged for an access, identity, and refresh token. In code exchange step the tokens are always sent via a secure backchannel between the app and the OIDC server. This provides an additional layer of security as the attacker is not able to intercept the tokens. These tokens can be sent directly to the web server hosting application for user authentication.
App ID interacts with identity providers by using multiple protocols such as OpenID Connect, SAML, and more. For example, OpenID Connect is the protocol that is used with many social providers such as Facebook, Google. Enterprise providers such as Azure Active Directory External link icon or Active Directory Federation Service External link icon, generally use SAML as their identity protocol. For Cloud Directory, the service uses SCIM to verify identity information.
Read this blog post for using a custom identity provider
For an in-depth understanding of the flow, you can refer to this link
We are currently analyzing the API gateway for our microservices and Kong is one of the possible candidate. We discovered that Kong support several plugins for authentication but the all based on users stored in Kong database itself. We need to delegate this responsibility to our custom auth HTTP service and don't want to add these users in API gateway database.
It's possible to do this with some code around, instead of using the OpenID connect plugin; in effect you need to implement an Authorization Server which talks to Kong via the Admin (8001) port and authorizes the use of an API with externally given User Ids.
In short, it goes as follows (here for the Authorization Code grant):
Instead of asking Kong directly for tokens, hit the Authorization Server with a request to get a token for a specific API (either hard coded or parameterized, depending on what you need), and include the client ID of the application which needs access in the call (you implement the /authorize end point in fact)
The Authorization Server now needs to authenticate with whatever IdP you need, so that you have the authenticated user inside your Authorization Server
Now get the provision code for your API via the Kong Admin API, and hit the /oauth2/authorize end point of your Kong Gateway (port 8443), including the provision key; note that you may need to look up the client secret for the application client id also via the Admin API to make this work
Include client id, client secret, authenticated user id (from your custom IdP) and optinally scope in the POST to /oauth2/authorize; these values will be added to backend calls to your API using the access token the application can now claim using the authorization code
Kong will give you an Authorization Code back, which you pass back to the application via an 302 redirect (you will need to read the OAuth2 spec for this)
The application uses its client and secret, with the authorization code, to get the access token (and refresh token) from Kong's port 8443, URL /oauth2/token.
It sounds more involved than it is in the end. I did this for wicked.haufe.io, which is based on Kong and node.js, and adds an open source developer portal to Kong. There's a lot of code in the following two projects which show what can be done to integrate with any IdP:
https://github.com/apim-haufe-io/wicked.portal-kong-adapter
https://github.com/Haufe-Lexware/wicked.auth-passport
https://github.com/Haufe-Lexware/wicked.auth-saml
We're currently investigating to see whether we can also add a default authorization server to wicked, but right now you'd have to roll/fork your own.
Maybe this helps, Martin
Check out Kong's OpenID Connect plugin getkong.org/plugins/openid-connect-rp - it connects to external identity and auth systems.
I am using Wso2 Oauth2 password grant for authenticating the user in my application. I need to implement two factor authentication using sms and email in my existing workflow. I have gone through the Wso2 documentation found authenticator for Email and SMS.
https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator
https://docs.wso2.com/display/ISCONNECTORS/SMSOTP+Authenticator
But these documentation deals with SAML.
Is there any documentation for Oauth2 workflow or How it can be achieved ?
Need help on this
Thanks
I assume you have configured a service provider with OAuth/OpenID Connect Configuration type in WSO2 Identity Server. You need to do the Local & Outbound Authentication Configuration in this OAuth Service Provider. Hit edit for that SP and expand Local & Outbound Authentication Configuration. Click on Advanced Configuration and do necessary configuration there.
Refer https://docs.wso2.com/display/ISCONNECTORS/Configuring+EmailOTP+Authenticator and follow the steps starting from Step 9 in Configuring the Service Provider section.
I'm trying to use the authenticationendpoint application that comes with WSO2 as the new only login entry point of an old application. For testing purposes I just did a page that redirects to thi URL
https://localhost:9443/authenticationendpoint/login.do?relyingParty=My-Issuer&sp=Test-App&sessionDataKey=14792551&authenticators=BasicAuthenticator:LOCAL
The login page appears as expected, but once I set the user and password shows this message:
Authentication Error !
Attention:
Something went wrong during the authentication process. Please try signing in again.
Seeing the output in the console on debug mode, this is what is shown
... Many of the same error saying that Authentication Context is null
[2017-01-06 15:40:08,836] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Authentication Context is null
[2017-01-06 15:40:08,836] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Authentication Context is null
[2017-01-06 15:40:08,836] DEBUG {org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils} - Authentication Context is null
[2017-01-06 15:40:08,837] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Session data key : 22451696
[2017-01-06 15:40:08,837] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} - Context does not exist. Probably due to invalidated cache
I thing I'm doing something wrong, maybe there are not enough parameters sent, or they are the wrong ones, the user and password are correct because I can login into the carbon itself with it, and it is also a valid user for the testing SP.
The SP config is described:
Basic Information
Service Provider Name: Test-App
Claim configuration
Use Local Claim Dialect
Subject Claim URI http://wso2.org/claims/username
Role/Permission Configuration
Permissions AdminTest
Role Mapping AdminTest->Admin
Inbound Authentication Configuration
SAML2 Web SSO Configuration
Issuer: My-Issuer
Assertion Consumer URLs: https : //localhost/Test/main.asp
Default Assertion Consumer URL: https : //localhost/Test/main.asp
NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Certificate alias: wso2carbon
Response Signing Algorithm: ...#rsa-sha1
Response Digest Algorithm: ...#sha1
Checked values
Enable Response Signing
Enable Single Logout
Enable Attribute Profile
Include Attributes in the Response Always
Enable IdP Initiated SSO
Enable IdP Initiated SLO
Others are in blank OAuth, OpenID, etc (let me know if that is maybe the problem, so which should be filled out.
Local and Outbound Authentication Configuration
Authentication Type: I tried with Default and Local Authentication = basic and password-reset-enforcer
This is checked:
Assert identity using mapped local subject identifier
Use tenant domain in local subject identifier
Use user store domain in local subject identifier
Request Path Authentication Configuration
basic-auth
Inbound Provisioning Configuration
SCIM Configuration
PRIMARY
Dumb Mode is not enabled
The rest is left blank
I have spent many days tracking this problem but no answers or are for older versions.
I tested with JDK 7 and 8 (latest of them) I'm working with WSO2 IS 5.2.0. Someone can lead me to a solution to use this application as the only entry point for my SPs? The idea after is to send back a SAML2 response to a page in the SP side that read the information and control the authorization part.
Thanks in advance.
You have configured for a SAML SSO scenario. Therefore your SP have to call the SAML SSO endpoint of WSO2 Identity Server with a valid SAMLRequest. That is https://hostname:port/samlsso.
AuthenticationEndpoint is just an intermediary application. SAML SSO endpoint is the one that should redirect the user to AuthenticationEndpoint after first processing the SAMLRequest. You must not call it directly.
Refer this to learn how to run a sample SAML SSO application with WSO2 IS. While running that, you can monitor the HTTP Request/Response flow using a tool like SSOTracer for Firefox and understand how the communication works.
In similar to SAML SSO flow, if you are using any other authentication protocol, you first have to call the protocol specific endpoint. E.g. If you are using OAuth2 or OpenIDConnect, then you should call /oauth2 endpoint. Never /authenticationendpoint directly.
I am working on implementing WebSeal single sign-on so that the user does not have to enter credentials for a particular web application if the user is already logged in via Windows authentication. Can anyone please point me in the right direction. I am new to Web Seal
WebSEAL has something called junctions. You can create webseal junctions and configure it to application webservers. Suppose if your SSO solution involves 3 applications, three webseal junctions has to be created. Webseal will act as reverse proxy in this case. So when a user trying to access anyone of the application, He will be challenged with a login screen from webseal. User will be authenticated against LDAP(u need to map your ldap in webseal) and his session will be maintained at webseal.Once authenticated user information will be sent to application servers via junction in HTTP headers. Now when user access other two application, he will not be challenged with authentication. His information will be sent to application servers directly via headers as webseal maintains his session.
For more info:
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide16.htm
WebSEAL supports Windows single sign on using SPNEGO protocol & Kerberos Authentication. Read this link for configuration steps:-
https://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1359-00/en_US/HTML/am51_webseal_guide78.htm#sso-windows-desktop