I have JIRA, Confluence and Bitbucket deployed on my server behind Apache reverse proxy. Each of them is connected with others using Application links. Now, I want to add additional layer of protection by implementing HTTP Basic Authentication in front of this. When I do this, I lose connection between apps. How to configure Apache properly in order to have HTTP Basic Authentication in front of whole stack AND connection between apps?
Where did you configure basic authentication?
Normally Atlassian applications handle authentication themselves, so you should not have to configure anything in apache.
Application links use OAuth to handle authentication between applications and there are 2 flavors:
if both applications have the same set of users, you can use plain OAuth
if both applications have a different set of users, you can use OAuth with impersonation
More info is available in the Application Links documentation here.
Related
We are developing asp.net core applications that will require sending emails with gmail among other providers (client accounts). This applications will not be hosted by us but by many of our clients.
The application may be hosted on their domain or no domain at all (IP address only).
I am struggling with which authorization process I should use since I can not use the Javascript client or any redirect URI method due to unknown origin/domain. I also can not use localhost origin since there is no way for me to start a local http server from a browser. Programmatic extraction is deprecated. The only thing I am left with is manual copy/paste but apart from it being very user unfriendly Google documentation states that that might be deprecated in the future as well.
Am I missing something?
Please point me in the right direction as to how I should proceed.
I would like to check if my understanding is correct about the way to use Keycloak.
After Keycloak server is installed and running, we would have 2 options:
Use the javascript adapter in the application we want to authenticate
Use the mod_auth_openid to use Keycloak with Apache webserver
In the case of web application, since it must have an web server, does it mean only option 2 is available? And even if option 1 is available, should I use it?
It depends on the type of your application. If you want to provide your application as SPA (Single Page Application) using JavaScript, JavaScript Adapter will be good option. But if you want to provide it as traditional server-side web application which doesn't support standard federation protocol like OpenID Connect, mod_auth_openidc will fit.
Also keycloak provides several types of client adapters. You can check them with the following document.
https://www.keycloak.org/docs/latest/securing_apps/index.html#supported-platforms
In addition, if your application is already OpenID Connect or SAML 2.0 compliant, you can integrate with keycloak server without any client adapters because it based on open standard protocol which keycloak supports. Please refer the following document to understand securing your application.
https://www.keycloak.org/docs/latest/securing_apps/index.html#overview
I would like to know if it is possible for Mashery solution to expose backend services that are secured with OAuth 2.0 or Kerberos.
My idea is to hide this authentication by Mashery Traffic Manager, for the services that are secured with a basic authentication it works very well but for the rest I do not have connectors on my administration panel.
Thank you for your answers.
Apart from regular open ones and endpoints with API key authentication where key is passed as a query parameter(or feasible urlpath), as of now Mashery can handle the backends with Client SSL Certificate and HTTP Basic Authentication only, which you can set in in 'Security Settings' of the endpoints.
No oAuth2.0 is possible and I don't think they have any plans to implement it in recent future.
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
I've read some about authentication and authorization inside of asp.net web api and I've understood that i basically must use ssl in order for not letting people get hold of the authentication tokens. And if i'm not misstaken theese authenticantokens are sent inside of the header? and SSL hides theese headers for the public not to to catch up if they use some tools for internet listening? If thats the case i guess i could create a "custom" authentication by not allowing the api to run unless a specific header is sent with the api call? Which people shouldn't be able to catch up if i use ssl?
I realized I've used alot of questionmarks but it is just to illustrate where my unclear thoughts are, any help or input is highly appreciated, thanks!
Authentication, Authorization and securing the connection over SSL are 3 different parts of a web application.
Authentication
Basically authentication handles who you are. For example with a login you provide a user and a password. The application knows now, who you are.
Authorization
Authorization manages the access rights for the user. It says, on what you have access. For example if you've provided the correct credentials, you are authenticated, but maybe not authorized for everything.
SSL
SSL is securing the connection like you said. You can't sniff (with WireShark or Fiddler) the network traffic if it's over HTTPS. This is a setting on your IIS on which the web api application is running. You don't need to create a "custom" authentication.
I hope this helps.