Kong for Web Apps - authentication

Here a newbie in kong. We have several web apps without authentication in different programming languages and environments.
Our idea is to protect each web app (the web user interface) by securing it with a login screen (single singn on). We want to use kong since APIs are going to be developed and should be protected by kong, too.
Ideally we can use our internal ldap server to manage user credentials.
My questions:
Can we use kong to show up login screen for the web apps?
Do we need to modify out web apps for that?
How to make kong talk to ldap for getting user credentials?

For your questions
Can we use kong to show up login screen for the web apps?
There is no need to do that, for kong authorization most of the time you can send the details in header which kong will use to authenticate
Do we need to modify out web apps for that?
If you need to use the user info which Kong will pass in the header, then you need to modify your app to understand that.
How to make kong talk to ldap for getting user credentials?
You need to configure Kong server to connect to LDAP server. Details about that are provided on the Kong LDAP Plugin page

Related

Kong Api Gateway - How to setup authentication flows

I don't have much experience with api gateways. I've looked into (and setup) Kong with some auth mechanisms. For all of these the user details are added to Kong through their admin API.
How do I setup a complex authentication flow with Kong. i.e: A user registers, some custom business code is run to validate the user then an email is sent to them for confirmation.
The only way I see is having a microservice which talks to the admin api. The UI would then simply talk to this microservice (which would in turn add users to the admin api), am I on the right path?
Using Kong Admin API you could create API consumers which then you can add authentication methods to (JWT, auth0 ...).
The way I have always implemented this was through my backend talking to the kong admin. of course, this means all your backend application then have access to the kong admin fully but that can be prevented by either having a proxy service on top of kong admin which only allows consumer creation and auth management (technically this can be your user service) or add kong admin to kong as a service and restrict the use cases (less secure since any mistakes might expose your admin API).
One thing you should definitely avoid is to access kong admin directly from your frontend app.

login with google oauth2 and using API to get contacts

I am starting to develop a web service and I want to enable login with google using their oAuth2. However, when I started reading the requirements I see that I need to authorize my domain and use https. I am in the very initial steps and I still don't have the domain setup and no certificate yet.
Is there any way to test google integrated into my site without all this? only for development phase?
Thank you

Okta API and Agent questions

We're building a IaaS platform for the media industry. We're just looking to verify a few areas of Okta's capabilities and how to manage.
Okta is a web application for performing system administrative tasks against Active Directory repositories
Does Okta have such web application?
A demonstration of the web application
Is it possible to have a trial copy?
Authentication & Authorization via corporate AD
How do we set up the Okta AD Agent?
How do we use Okta API (to be integrated with our platform) to perform authentication against a corporate AD?
How do we use Okta API (to be integrated with our platform) to retrieve custom attribute information from corporate AD?
Thank you for your questions. Here are some resources to help answer your questions:
Our website has detailed documentation on how Okta works with Active Directory.
https://www.okta.com/resources/datasheet-ad-integration/
How to set up AD in Okta: https://support.okta.com/help/articles/Knowledge_Article/Okta-AD-Agent?_ga=1.41164711.449313748.1470873855
Furthermore, you can find further information on how to use the API on on our Developer helpsite: developer.okta.com

GWT User Authentication like Spring Security?

I use Google Webtoolkit together with Phonegap to build a mobile app. My app is communicating over a REST APi with my Backend Server.
What I want to do is a user authentication, i.e., my app user should be able to signup and login. If a user closes the app and reopens it, he should be authenticated again if he has not logged out before.
Usually, with Spring Security you do the authentication on the server by calling the required methods. The client (browser) then contains some cookie information for a persistent login.
1. How can achieve this kind of authentication for my app?
2. Should I do the authentication as for a normal web site with the only difference that the authentication methods are called by the REST api methods?
3. Is there another way of doing the authentication for my mobile app?
I think user authentication for the mobile app will be the same as for a normal web-app.
The Spring backend will create a session once a user is authenticated. By default the user is authenticated for the duration of the specific session (until the user closes the browser/app).
Spring Security has a Remember-me functionality that is typically based on a Cookie approach and allows the user to be re-authenticated automatically..
I don't know if phonegap work with Cookies (see here for some pointers). I guess it depends on the plattform (if webview supports cookies).
May be this will help you I wrote an article that show how to adapt Spring Security to secure REST services.
You can check it in here : http://crazygui.wordpress.com/2014/08/29/secure-rest-services-using-spring-security/
I also posted a working example which shows how I did use that with GWT on GitHub.

Accessing a WCF Service secured by ACS from javascript

I am looking to create a WCF (possibly WebApi) web service that sits on top of some of our existing code. Eventually this service will be used by external clients but we are going to start using it with our own mobile app.
As some clients will want to use Gmail and ADFS authentication it seems to make sense to use Azure ACS (this is where our webservices are hosted). However we won't need multiple providers for a while and we will start by using a custom STS that authenticates users against our existing authentication logic.
We already have a rough prototype of the above working using a MVC web application acting as the client.
My problem is how do I integrate this with a mobile application? It looks as if the mobile app will be written using AppCelerator which means I need to authenticate using javascript. We only want users to authenticate to our custom STS so would I need to use Active Authentication? I.e.
Ask user to enter username and password
Directly authenticate with custom STS and retrieve token
Pass STS token to ACS and retrieve ACS token
Pass ACS token to wcf service for each request.
I guess my questions are: am I on the right track and if so how would I achieve this in javascript?
If you want to support mobile devices, it is recommended to provide a web based login interface in your STS. In most cases, a mobile device will navigate to your STS’s sign in page in a web browser. After your STS authenticates the user, it sends claims to ACS. ACS in turn uses JavaScript notification to notify the host application.
You can refer to http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSAndWindowsPhone7 for a tutorial about working with ACS in Windows Phone. Similar process can be used for other mobile devices.
Hope this helps.
I think it is possible to issue SAML over Https request. As a starting point Id suggest to look at Thinktecture IdentityServer sources by Dominick Baier. This will help to understand different strategies and how you can use em(there are some goodies for WebApi on Github also):
http://identityserver.codeplex.com/