Ok I do some reaserch and I try once more explain what I am looking for.
So my question is can I make OAuth provider server using Lambda and API gateway? I didn't found any solution like this, and I don't even know how to start so any ideas are valuable.And then I want to use API custom authentication to validade my bearer token.
I try to be specific as I can:
I have my application where I store my log users. I want to OAuth 2.0 authorization code grant flow using only Lambda and API Gateway (something like Google oAuth but my app want to be an authentication provider). I found couple solutions like this: https://www.authlete.com/documents/article/custom_authorizer/index but I want to use my own authorization server implementation, and I don't want to specific in Lambda auth impl. api_key and secret_key. So there are my questions:
1. Can I make my own authorization server using only Lambda and API
gateway? (I know there is a implementation in Spring but for now I
want serwerless solution)
2. If I can I will be pleased for any tips because I really stuck.
There is a possibility that in my reasoning are mistakes.
In API Gateway you can create custom authorizers to be invoked before the API method is executed. Normally you can create a Lambda function to receive the authentication details and return a Policyt Document authorizing or denying the API method execution.
You can create a Lambda to make the OAuth provider authentication and generate the Policy Document, based on authentication flow. You can get more information here.
Related
I find keycloak restful authentication api in postman,like this:
I know this api will return keycloak token if I give correct username and password. But now, I want to custom a api to let keycloak to finish authenticate like this, then I can obtain a keycloak token.
I read keycloak doc, but I think authentication spi can't achieve.
Is there a way to achieve this?
Adding a new API (rest endpoint) to Keycloak is possible, but you should not (and probably can not) use it to add such a custom authentication. Keycloak as an identity provider is OAuth/OIDC Connect compliant and the endpoints to get/exchange a token are all part of those specifications. So if you want to protect your API using a token provided by Keycloak, you should follow the steps specified on those specs. I suggest you to read a couple of OAuth/OpenID Connect tutorials on the Internet or have a look at a post like this. You should first decided what OAuth flow matches your use-case. Then you can go to the Keycloak console and configure clients for your applications. I guess probably you would need one for the caller and one for the service that is going to be called so that they could authenticate themselves to Keycloak. I don't think that for your scenario, you would need any customization on Keycloak.
I am building a restful API that allows users to access and manage their own resources programmatically (via CURL/HTTP) instead of using the dashboard we provide.
I have my own authorization server and resource servers so there is no 3rd party involved. I am torn between using OAuth 2.0 and simple API Keys. OAuth 2.0 seems like an overkill, yet I don't want to release a public API then change the authorization method in the future.
Is it possible to build a hybrid solution where users can log-in to the dashboard, generate a "refresh-token", specify the scope, then copy this refresh-token and use it in their own code to call the /token endpoint and get an access token?
This would be similar to OAuth 2.0 except that the authorization step is done directly by the authenticated user on the 1st party dashboard. Is this a legitimate solution? Do you have any other recommendations?
OAuth2 is to outsource user/password/MFA management, integration with social logins. You seem to manage users in your dashboard already. On that basis, issuing a manual access token as you described works, provided you sign it and the verify signature in the api/resource servers.
I have a background task that runs periodically which needs to connect to a customer's Apigee OAuth2 protected API. From my understanding of OAuth2, a user must go to a sign in page on Apigee, and it will redirect to a return Url with a token. This is the way I have used previously on website projects. But in this scenario, there are no users, no website, and no return Url, it is just some code making a http request.
Is the above possible to do? Every google search I make is all about users logging in manually and getting a token to a return url.
I found some mention of 'Flows' and maybe there is some other 'Flow'? but its really hard to get a clear understanding of how it works because guides are focused on user interactive websites.
OAUTH 2.0 is an industry-standard for authorization. OAUTH 2.0 supports many authorization grant types, namely they are;
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
[Note that you may come up with your own custom grants as well if you are building or extending your authorization server - however it is beyond the scope of this question]
In the example you have provided, you are using the Authorization code grant type where you redirect to APIGEE and getting an authorization code. The APIGE server acts as the "intermediary between the client and resource owner" in OAUTH 2.0 terms.
For your new requirement, you should consider using the client-credentials grant type where the client is provided a client key and a secret. The client has the responsibility of calling the authorization server (like APIGEE in your previous example or anything else) and getting a token and then using that token in the subsequent requests.
I recommend you to read the ietf standard for oauth 2.0 to get a better understanding - Refer https://www.rfc-editor.org/rfc/rfc6749.
Make sure to read on "Roles" in this link well before diving onto the content of this document.
Good luck!
I have a web api application which implements the Resource Owner Password flow from OAuth specification. Everything works correctly.
Actually I configure everything in my WebApiConfig class by using an Authentication filter like this
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add( new HostAuthenticationFilter( OAuthDefaults.AuthenticationType ) );
As some of my customer asked for a different method of authentication I am evaluating to add a couple of features to my services but stil did not have clear how those features can work together.
In particular I cam across a link which explain in very easy words how to implement a HMAC authentication in web api.
Can I implement this authentication method and let the client to choose which one he want to use? Do they can cohesist together?
Yes, your web api service can send back multiple schemes in the WWW-Authenticate challenge. In your case it can send back 'bearer' and 'hmac' for example.
See also this question for more info on using multiple schemes.
BTW, it's not your web api service that supports Resource Owner Password flow. The client uses this flow to get a token from the authorization server that it can use in a bearer scheme with your service (resource server). HTH.
Currently, I'm working on a REST API which will be available for public clients but also I wanted to use it in my mobile application.
For the public clients, I considered to use the Clients Credentials grant, in this case, they would have to registered their app in my Web application which will give them the client key and client secret, then, they could request the access token with them and also I could know the user related to the credentials
But with my mobile application, I'll need to have a sign in section where I would need to use Authorization Code grant in order to secure my data, but I'm not sure if it's necessary.
Based on this, I have a couple of questions:
1. The Authorization Code grant it's the best way to do it?
2. It's a bad practice to have two authorization flows in the same endpoint?
3. Dropbox, Twitter, etc...all of them have REST API, how do they manage authorization in their own apps?
Thanks beforehand and sorry for all questions
I managed to solve this with two alternatives and for the moment, I'm going with the first one.
Create an Authorization server with a parameter that indicates what kind of Authorization Grant it's asking to use and in this way I can decide which kind of flow will follow based on this. I follow the OAuth 2.0 Spec for this using the correct names and parameters to pass in order to have a good way to authenticate our clients and applications.
Create an API gateway where I can send all the authentication requests for my API's using Node.js and in there it will be decided which API it's asking for authentication and with kind of Authorization Grant it's using. You can have more information about this in here:
https://www.nginx.com/blog/building-microservices-using-an-api-gateway/