MobileFirst 7.1 OAuth Token Request - ibm-mobilefirst

I am trying to use MobileFirst Server as a OAuth Server. The knowledge center provide detail step on how any external application can validate the token sent by Mobile client via MobileFirst Token validator end point. But not able to find proper documentation for request a new authorization token from mobile client from MFP Server.
In development environment we have a testtoken endpoint.
http://localhost:10080/OAuthExternalServer/authorization/v1/testtoken
{ "Authorization": "Bearer eyJqcG ......... }
How to get similar token from MFP production server on mobile client.
MFP Version: Server version: 7.1.0.00.20170330-0917
Thanks

With the OAuth security model, MFP server is your OAuth token provider. Upon completing the challenge server gives you an OAuth token. You need not do anything special in the ChallengeHandler for OAuth token. Refer to the samples here: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.1‌​/authentication-security/
If you are looking to use OAUTH for authenticating an external resource , refer the steps here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/using-mobilefirst-server-authenticate-external-resources/
Here is an example token validator which uses introspectionData to validate https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/protecting-external-resources/jtv/
Basically Introspection Endpoint can be invoked to validate the token provided by MFP server
General OAuth flow with 7.1 for a default flow can be referred here https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/7.0/authentication-security/authentication-concepts/oauth-based-security-model/ .

Related

How can I integrate Google and Microsoft authentication with JWT Token in Blazor Webassembly?

I have a Blazor Webassembly app (Asp Net Core hosted).
I secured my app using JWT Token. Client makes a request to Server and if the request is valid, server sends JWT Token to client and token is saved in local storage. Client reads the token in storage and this way authentication is handled.
I followed the following practice from Chris Sainty :
https://chrissainty.com/securing-your-blazor-apps-authentication-with-clientside-blazor-using-webapi-aspnet-core-identity/
Now I want to enable users to login app with their Google or Microsoft accounts. What would be the best approach for this?
I tried Google and Microsoft authentication on server-side but I couldn't pass the token to client. (because there is no request from client..)
Your response exist in these links:
Google Authentication by OIDC
Microsoft Account using MSAL
But the details requires studying related Service and js files.
You can study sources of Remote Authentication Service in Github for both oidc and msal in following sites:
Web Assembly Authentication Service
Personally I suggest you to use Microsoft Account which also allow authentication through Google and other providers too. Altough oidc provider is more oidc than msal approach. Microsot implemented Code Authorization flow in msal while Google uses implicit token flow (do not forget that these happen in client side). There is two different js files for implementing the underlying requests so I do not think even the combining them work in this way. May be it is better you code it your self by implementing an authentication state provider which uses JS Interop.
You also can see following example which may help you by DotNet guys:
Example of Web Assembly

As a client how do I request an access token from the Identity Server using client ID & secret then use the token to gain access to the API?

Hello new to stack overflow and programming.
I have a simple ASP.NET Core web app and am using ngrok to host my app, and I want to be able to call to a company's identity server so that I have an access token to be able to access their API and create Webhooks to receive notifications for different events.
I already have a
clientID
Secret
URL (given by ngrok)
for the request body to receive the response.
How do I go about doing this?
You need to use Microsoft authentication libraries to achieve this.which is very easy to implement.
MSAL Library is just an implementation for enabling developers to acquire tokens from the Microsoft identity platform endpoint.
Since you already have ClientID, Secret and Redirect URL you can get a token as Acquire a token and call Microsoft Graph API.
However, I think what you really want is to integrate AAD. You can easily enable AAD authentication for your .NET web application. It uses OWIN middleware.

How to use Firebase Authentication with Okta?

I am currently using Firebase Authentication in my app using the built-in OIDC providers (Google, Facebook etc.). Is it possible to use Okta as an additional OIDC provider with minimal modifications to my app, meaning Okta should behave just like any other built-in provider? Firebase Auth apis, such as firebase.auth().currentUser and firebase.auth().onAuthStateChanged() should still work.
The doc page for Custom Authentication talks about getting a custom token from an auth server, but does not clarify if that's an OAuth access token. Is there an example of Okta integration or a generic OIDC integration that works seamlessly with Firebase auth?
There's no built-in Okta provider for Firebase Authentication, but if you have an existing authentication flow for it, it's fairly easy to integrate it into Firebase as a custom provider.
It's a 6 step process:
You gather the user credentials on the client.
You pass those credentials to a trusted environment, either a server you control, or Cloud Functions.
On the server you verify that the credentials are correct according to Okta, typically by calling a server-side API they provide with a key you provide.
You then use the results of that call to mint a new ID token for the user. This is a JWT, not an OAuth access token.
You pass back that ID token from the server to the client.
The client then calls firebase.auth().signInWithCustomToken(token) with the ID token, to sign in to Firebase Authentication.

What is the needed configuration for OAuth 2 authorization with upstream JWT authentication?

I would like to design a micro-services architecture with IBM connect where the outside clients need to pass a Bearer access token in an Authorization header (OAuth 2) and the gateway will pass a stored JWT (generated and stored during authorize call) with the authorized user's claims to the internal APIs.
Is there such a built-in configuration?
(For reference, WSO2 provides this exact behavior: https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT)
There is not such built in feature in IBM API Connect.
A possible implementation for the scenario that you mention, in IBM API Connect, could be:
An OAuth Provider API that contains the authorization and token endpoints of an OAuth flow (IBM API Connect has a built-in OAuth server) Implement an OAuth API Provider
The API that acts as a proxy of the backend microservice, secured by the OAuth provider API created before (so that way, access tokens are required to send requests to this API). In this API, implement a jwt-generate policy (which is a built-in policy in IBM API Connect) to generate JWT tokens. jwt-generate built-in policy
In this implementation you can add custom information to the access tokens generated by the OAuth provider API (such as the logged in user in the application, device id....), and use those values as claims when generating the JWT (oauth.resource-owner, client-id of the consumer application sending the requests....)

Adding OAuth 2.0 authentication to a RESTful API

I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 Authorization headers.
I then found some information about FOSOAuthServerBundle which enables an application to become it's own OAuth 2.0 provider as well as providing the required security mechanisms to validate Authorization headers.
However the problem is that I would like integrate the OAuth 2.0 provider (authorisation server) in an external application (which contains the user base) and not include it within the API. Which will provide some mechanism for performing the token verification against this external app via (another) RESTful API.
Points:
RESTful API requires OAuth 2.0 authentication.
OAuth 2.0 authorisation server to be situated in a separate application.
I feel I should use Implicit grant and call the authorization server on each request to validate that the token is correct.
Is my thinking correct?
As far as I undesratnd your requirement, you require to authenticate your APIs via external OAuth Authorization Server:
Client needs to provide the access token retrieved in the above steps
along with the request to access the protected resource. Access token
will be sent as an authorization parameter in the request header.
Server will authenticate the request based on the token.
If token is valid then client will get an access to protected resource otherwise access is denied.
here is an example which might help you to achieve your requirement. Check this document .
Or simply, you can do with Jersey and Oauth
Also, you can check Apache Oltu and figure out the way to achieve your requirement.
A lot of the big companies like Google, Facebook etc have a separate authorization server from the API server. Check out Google's OAuth authorization flow below
You can also check Google's OAuth Documentation for the details.
So all you would need to do is implement a OAuth Provider so that you can authorize against that provider. There's a list of libraries available on the OAuth website: http://oauth.net/code. You can specifically look here; there is an example for running an OAuth Service Provider in Java.
oAuth can most definitely be a server other than your application server. Below is a picture of what the authentication sequence would look like:
-- Obviously, if the forum can't decode or validate the token, the forum would return a 401 status code instead of a 200 status code.
As long as your oAuth server & the Forum share the same public key, you're more than okay with splitting your oAuth Server & your application.
In fact, take a look at jwt.io. Paste the token you get from the oAuth server into there. It should be able to decode the token right away. Then, you can put your public key into the 'secret' text box to verify the token is verified.
Your application (Forum, in this example) should be able to do the same:
1) Grab the token from the Authorization header of the request
2) Decode the token
3) Check the expire date
4) Verify the token using the oAuth's public key
5) Return successful status code or a failure status code