I am using kong as my api-gateway and using a plugin kong-oidc for authentication using keycloak. Authentication process is smooth and running fine. Now I want to add authorization for the requests made to kong for different microservices. I am planning to modify the kong-oidc plugin. I have created a confidential client, role-based policies and resource based permissions along with some users assigned with different roles in keycloak. I want to authorize a user if he has a permission to access a specific resource. I can do that by following request
http://keycloak-url/auth/realms/$realm/protocol/openid-connect/token \
-H "Authorization: Bearer "$access_token \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "audience=auth-client" \
--data "permission=af-resource" \
--data "response_mode=decision"
I am concerned with permission=af-resource. during the request I can not know the name of the resource but the requested url. Do I have to request to keycloak again to give me the resource-id for the requested-url and then send the above mentioned request for decision or there is another way? Or somehow i can use the information from token-introspection endpoint.
Related
Created a container with Postgrest (REST API to Postgres tables/views). Postgrest uses JWT authentication to derive user name to connect to the database. Basically a header with "Authorization: Bearer ". The container is deployed inside Kubernetes. To protect from unauthorized access is used Ambassador. Ambassador has basic authentication and requests user and password when trying to access the container.
Trying to access this configuration with Postman or curl can't make it work with both authentications active. So that Ambassador asks for user and password and after authenticating user the request proceeds with the JWT token used by Postgrest. Is there at all a way to do that?
Tried to put both authentications together as header "Authorization: Basic <username:password in base64>, Bearer ". Does not work.
Tried using Poorman's Bearer Authentication from here: API key auth for Ambassador . Also does not work.
Ended up using bypass_auth: true in the Ambassador mapping for the Postgrest container. Considering to try JWT filter in the Ambassador mapping (https://www.getambassador.io/docs/edge-stack/latest/topics/using/filters/jwt).
There are two levels of authentication in my API
Basic auth for the API domain (API hosted website is secured through a basic auth)
Basic auth for the specific API call.
I used the following call and domain level basic auth is working. But API call level basic auth isn't working.
curl https://example.com/test.json
-u "abc:abcd1234" // domain level authentication
-k -H 'Authorization: Basic erwf234werwrefdsf234245wewrwer==' // API call level authentication
-d 'data={}'
I do not believe you can it if both services require the same header for authorization.
Both methods (-u and -H) end up putting the information in the same header field (more detail is provided here: cUrls's option "-u" )
Additionally, here is a discussion about the use of multiple headers with the same name, as well as the option for some headers (but not Authorization) to accept multiple values as a list:
Multiple authentication schemes for HTTP 'Authorization' Header
I'd like to start/stop/restart VMs in GCP through scripts. There are OAuth2.0 and API key methods for this.
For OAuth 2.0, I can generate access token through "gcloud auth print-access-token" I get the key and it works.
I want to the same to work with API keys, but not able to find API key for "Compute Engine", there are service account, but keys.
curl --request POST \
'https://www.googleapis.com/compute/v1/projects/xxxx/zones/xxx/instances/xxx/stop?key=[YOUR_API_KEY]' \
--header 'Accept: application/json' \
--compressed
what I am missing?
thanks.
You cannot use an API key for this purpose. This is because the GCE API needs to know who is sending the request1 but the API key doesn't provide this information.
API keys are used when an API can be accessed by anyone, for example a Google Maps box embedded in a website, but usage needs to be accounted to one particular customer.
1 Identity is needed to enforce IAM permission, collect audit logs and other such tools.
Is there a way to retrieve Auth0 logins to a particular client? I have a common set of users across 2 different clients (2 different applications) and would like to get at the login data separately.
You can use the management API to retrieve the logs by client ID, like so:
curl -H "Authorization: Bearer $TOKEN" https://your-tenant.auth0.com/api/v2/logs?q=client_id%3Aexample-client-id
Here are some doc links on getting started with the Auth0 Management v2 API, including how to get a Bearer token:
Management v2. docs
Management v2. tokens
I am developing an app to access its own resources via Rest endpoints.
Users are required to acquire access token via email/password. After completed Authentication server configuration, I had this observation:
With:
curl client:secret#localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password
I am getting the correct response:
{"access_token":"7541a4f6-e841-41a0-8a54-abf8e0666ed1","token_type":"bearer","refresh_token":"d3fdd7e3-53eb-4e7b-aa45-b524a9e7b316","expires_in":43199,"scope":"openid"}
However With:
curl http://localhost:9999/uaa/oauth/token -d grant_type=password -d username=user -d password=password -d client_id=client -d client_secret=secret
I am getting the following error:
DEBUG 4123 --- [nio-9999-exec-7] o.s.s.w.a.ExceptionTranslationFilter
: Access is denied (user is anonymous); redirecting to authentication
entry point
org.springframework.security.access.AccessDeniedException: Access is
denied at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
It looks like the client_id & client_secret are not being recognized when send as parameters. Is this a configuration issue or to do with the version of OAuth2 I am using (spring-security-oauth2, 2.0.5.RELEASE)
A lot of example I come across on the Internet suggest approach one should work with OAuth2.
Thanks :)
There's no method of authenticating the Client against the Authorization Server that is mandatory to implement by spec. Two methods that have been specified that MAY be supported are the HTTP Basic Authentication pattern and the HTTP POST parameter pattern that you've used in your examples. Apparently Spring supports only the first, which seems to be supported by the docs at: http://projects.spring.io/spring-security-oauth/docs/oauth2.html
Yes, lots of examples show the client credentials being passed as form parameters, but it turns out that approach is not recommended, while passing the credentials using "Basic" authentication via the HTTP Authorization header is standard.
Section 2.3.1 of RFC 6749 says
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
And further says
Alternatively, the authorization server MAY support including the
client credentials in the request-body using the following
parameters:
client_id ...
client_secret ...
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).
In my experience, however, there are some servers that, in violation of the RFC, will not accept HTTP Basic authentication and will only accept form parameters in the body.