We are using Kong in our custom-services deployment system and we developed a new authentication plugin for Kong to suit our specific need.
All of this works well and we tested it doing this:
Register a new API (service)
Make a POST request to enabled the authentication plugin on the new API
While this works, it opens a window of opportunity for hackers to perform unauthenticated requests between 1. and 2. This is not acceptable obviously but I could not find a way to auto-enable the authentication proxy automatically.
Is there a way in Kong to either:
Auto-enable a given set of plugins for all new APIs.
Specify the list of plugins to enable when registering a new API.
Currently there is no way to automatically apply a plugin policy to an API at insertion time. There is another issue that could also help (but currently not implemented): https://github.com/Mashape/kong/issues/1279
Which would allow you to:
Add API, but enabled=false and no requests can be proxied to it.
Add plugins
Enable the API with enabled=true.
As of today, the only way would be:
Add an API with a fake upstream_url that goes nowhere.
Add plugins.
Update the API with a PATCH request to now point it to a correct upstream_url.
Related
Salutations!
I have just completed my first REST API, deployed on heroku, and I decided it would be cool to make $0 a month through rapidAPI.
The rapidAPI testing dashboard passes the tests successfully - with one of their keys being a requirement for an API call.
However when I access the site on a browser or on Postman, there is no need for an API key and therefore no restrictions in get requests.
I have noticed that the test code makes a fetch request to the rapidAPI url for the project but how can I make the heroku url accessible only from rapidAPI?
I know it's extremely unlikely someone will find my heroku app url but it is technically possible.
I appreciate your time and insights.
RapidAPI provides 2 security features to support this:
set X-RapidAPI-Proxy-Secretin the API Dashboard: this token is added in the X-RapidAPI-Proxy-Secret HTTP header for each request. You should validate this for every API call. This is the default measure in place.
the list of IP addresses used by RapidAPI is provided: you can check/validate for every API call.
There might be Heroku Addon to help with the IP filtering, but those are typically enterprise-plugin (with associated cost).
RapidAPI allows you to add secret headers and/or query string parameters to API requests. The RapidAPI proxy adds these secrets to every request, but are hidden from the API consumers.
Find more details in this page: https://docs.rapidapi.com/docs/secret-headers-parameters
I try to migrate from eBay Finding API to Browse API. My technical setting is quiet easy:
A Server searches the Browse API to find products by a keyword. Thats it.
Does anybody know if I need to implement OAuth, a redirection page for eBay-Users to log in etc.? I don't need all those features..
Thanks!
You can use the browse API with the client credential flow that mints the Application access token.
Application tokens are general-use tokens that give access to interfaces that return application data. For example, many GET requests require only an Application token for authorization.
See Documentation
The client credential flow does not require a User to Login via eBay and the redirect etc. However, you can only use the "GET" methods like getItem, getItemByLegacyId or search for example.
If you using NodeJs or Browser you can checkout the "Get Item" example here. (The library will get the Application access token automatically and return the result.)
I have a question regarding the possibility to change the backend occ endpoint for the login.
In the default behavior, an auth object is created in local storage.
I changed in the app.module the default login: '/authorizationserver/oauth/token', to a different endpoint (/ourowntestserver/oath/token/test). After the change, the backend-side works as it has before, but on the front-end side, the auth object is not available in the local storage anymore.
In the Spartacus source code I can see an OAUTH_ENDPOINT with the same endpoint '/authorizationserver/oauth/token', used in an open-id-token.service, but I am not sure if that service is responsible for actually saving the token and if I have to extend it in the storefront app along with its store(actions, effects, etc.) too.
Are there any other changes that have to be done for this to work, or am I doing something wrong? Is it possible that the issue could be still back-end related?
Any help would be appreciated. (edited)
I would start by inspecting ngrx actions in devtools. Look for LoadUserToken and LoadUserTokenSuccess and LoadUserTokenFail actions. Look at their payload if everything there looks ok. Maybe the structure of response is different than the one returned from the default hybris OAuth server. Then you might need to create your own effect and handle the response a bit different than we do this by default.
The OAUTH_ENDPOINT is not currently customizable and it is being fixed right now for the 3.0 release. It'll have new auth module structure and allow for easier replacement of OAuth server.
open-id-token.service.ts is only used with Kyma module when you also need apart from access_token the id_token from OAuth server.
I am using apimanger 1.9.
I read this already : Add header with username into request to backend in wso2 apimanager.
I am able to add and forward username to backend in wso2 apimanager for specific service; but I want this for all service. I am modifying admin--<api_name>_<version>.xml for all services(50 services), which is very much manual. Something it leads to manual error.
Is there a single place configuration where I can set this (forward username to backend endpoint) for all service?
One more question - if I create and publish the APIs using "Publisher API" feature, is there a way to post something to set up the add header for each API?
Modify the velocity_template.xml which decides the template of an API. Please read my answer given to a similar requirement. You need to modify the relevant section in the velocity_template.xml.
I am developing a stateless RESTFul API based on JavaEE 6 and it is important not to store anything in the session.
I am using socialauth java based social auth provider.
I would like to know if there is a way to rebuid SocialAuthManager after a successful authentication without having to retrieve it from the session as documentation explains:
session.setAttribute("authManager", manager);
And then:
SocialAuthManager manager = (SocialAuthManager)session.getAttribute("authManager");
I want to avoid this.
I would like to do something like this:
SocialAuthManager manager = new SocialAuthManager(PARAMS TO REBUILD PREVIOUS AUTH WORKFLOW);
Thanks in advance.
I'm developing social auth with 4.10 version of this lib.
After user get redirection url and is authorized, then I do connection to social service by this way:
AccessGrant accessGrant = manager.createAccessGrant(network.getId(), params);
Optional<Profile> profile = Optional.ofNullable(manager.connect(accessGrant).getUserProfile());
manager.disconnectProvider(network.getId());
Where params - params from request of success callback API. After getting user profile I disconnect manager for reusing it. Also be aware of concurrency when using this method.