My WCF service will receive incoming SOAP requests containing signed SAML assertions and the only thing I'll have to validate these is a public key given to my by the calling organisation. I want to configure the service to automatically authenticate the incoming request sigs using the public key. I don't have a STS or access to the calling organisations STS.
I've read tonnes of articles on configuring similar, but not this exact scenario. I'd appreciate a link to the right article.
Thanks in advance.
Related
What is the best pattern to implement JWT authentication (mTls is not the option for us) between microservices for publicly exposed endpoints?
Say, there is a user registration endpoint that is unprotected obviously but in turn it will call some other internal microservices to setup user data and those endpoints are protected.
All is that coming to my head is just use self signed service JWT tokens (i.e. service account).. But are there any other modern alternatives?
Thanks in advance.
I am currently building an API based around a microservices architecture.
I am using JWT to authenticate users. I understand that when a user sends a login request a JWT containing the users identity and their roles/permissions etc is returned. This token is then sent with the users subsequent requests to tell the server who is sending the request. I think this is the correct understanding.
In a normal monolithic architecture this works well as explained. How can I transfer this to a microservices architecture to establish trust between microservices.
I could forward the users JWT to downstream microservices simply but this doesn't allow the downstream microservice to know who/which upstream microservice is sending the request.
An example would be I have a location microservice. I want to allow the restaurant microservice to make calls to the location microservice. But I also have a product microservice that I do not want to be able to call the location microservice.
Obviously I could just not code the product microservice to call the location microservice but this doesn't stop someone else from doing so.
Any suggestions?
You can make the communication between microservices secure atleast by following two methodologies :
JWt token : Let assume micro service A wants to communicate with micro service B, then the token issued by A and the audience of the token is B. In that case the token is signed by micro service A with its private key. The aud field in JWT will represents the audience, it can be a single service or a set of services. The value of aud parameter should be a pre agreed value between the services. In micro services you can use the regular expression to validate the audience. For example aud can be *.samplemicroservice.com. Audience service B can check whether token is intended for it or not by checking the aud field. Once confirmed it can use issuer's public key to verify it.
Mutual SSL : The straight forward way to achieve it is to use mutual ssl between services. Each service should have SSL enabled and should presents its certificate to the the other service and other service should check the validity of the certificate with a trust store. This should be validated at both microservice A and microservice B to reach a mutual agreement. A self signed certificate can be used as root CA for all services certificates and can be accessed through a trust store.
There can be many variations of these mechanism. Specifically in case of JWT token. For example, You can delegate the token issuing responsibility to one service and can validate token in each of the service using public key of issuer service.
Here you have two different problems to solve!
1) User authentication/authorization:
Yours downstream services services should pass the user JWT token to services upstream (dowstream depends on upstream, the downstream is more near of the frontend). This way all services can validate the JWT token, and we can garantee that the token is unchanged.
2) Micro services authorizarion:
This is the second scenario you have, you need to garantee the trust relation between microservices and the authorizations to access a resource. In this case, ever microservices do you have shoul be a client (act as user), in a auth service (key cloak, Authservice...) and before send a request to any upstream dependecy, it should be authenticated, and send his own JWT token, in this way the destination microserveice (the called one) can validate and alow or not alow the caller to access the resource, and later, check the end user credentials.
This kind of approuch can be achieved using the client credentias autorization flow (https://oauth.net/2/grant-types/client-credentials).
See this article: https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot
I guess this solution to this should be that JWT should be passed to the gateway layer / Aggregator / Facade layer.
At this layer, just decode the JWT and set the data in the DTO(any Java Class), so that same is accessible easily.
Now, when this information needs to be passed to any service, these should be passed as params as anyhow API at the service layer should be generic.
Now if you want to establish trust b/w services, you can simply check the parameters as the services are anyhow should not be exposed outside apart from aggregators.
Hope I am making sense.
I have to implement public WCF service which can be consumed by known client. I also want to authenticate client using custom identity (not windows authentication).
I have explored WCF security for authentication with custom Username and Password. Since I have to implement the solution for Hetrogenious network, I cannot use windows authentication.
I have found two ways through which we can incorporate custom authentication in WCF. I have few queries on each of the approaches as below.
1) Through "UserNamePasswordValidator" class. We can create custom username password validator and validate user from the database. This approach is perfectly fine to implement SSO (Single Sign On) as each request has credentials in SOAP header. Client doesn't have to validate himself before each request.
Questions:
Is this approach is easily extensible for Authorization as well? Since authentication happens before service call by getting credentials from the SOAP header. Also credentials are not a part of ObjectContext, I have feeling that authorization approach is not straightforward.
To follow this approach we need to use Brokered Authentication pattern and for this we need third party certificate. Is this advisible to go with this approach as we have to add cost of certificate in a project.
If we use message security to encript the message why we need a certificate? Just for Client identity? Cann't we just use self signed certificate in production since we know who will consume this service?
2) Through "ServiceAuthenticationManager" class. I know only one approach using this class and that is to implement solution using Direct authetication pattern. Also after authenticate user, we need to supply it's identity or token through custom header for all subsequent request coming to service to implement SSO (Single Sign On)
Questions:
Is this a valid approach for public service? Should we enforce user to supply credentials (or token once provided by our service once it is authenticated) via custom header in each request?
This approach doesn't required certification and so we can save its cost to the project. Is this enough reason to pick this approach?
Personally I feel the first approach is easy to implement and it is more standard way to implement authentication in WCF service but the only problem is we need third party certificate.
Please answer my query and if possible suggest the best approach for my requirement.
Thanks,
Ankur
I have a WCF service that uses UserName authentication via ACS. This works great when I'm using Service Identities but when I try to use my Windows Live ID credentials I get the following error:
System.ServiceModel.FaultException: ACS10002: An error occurred while processing the SOAP body. ACS50012: Authentication failed. ACS50026: Principal with name 'louis#arsunica.com' is not a known principal.
Unfortunately I've yet to find an example of how one uses Windows Live ID with a WCF service. The only examples I could find seem to be focused on integrating multiple identity providers with ASP.NET or MVC websites.
Any help in this regard would be greatly appreciated....
ACS won't authenticate your Live ID username and password directly. ACS acts as a federation provider for Live ID, it's a go-between, so it will only consume tokens issued by Windows Live ID. ACS supports Live ID authentication out of the box in passive (browser redirect) based scenarios but for a WCF service you might consider using Live Connect APIs instead.
To use LiveID with your service, your client first authenticates itself to LiveID, and then presents a LiveID-issued token to your WCF service. Brace yourself though, there would be some hoops to jump through to set all of this up.
To use the Live Connect APIs, you would register your WCF service as an application with Live ID. Clients that consume your WCF service would then need to be capable of handling the web based login page and user consent pages that Live ID will prompt. The docs below are a good start
http://msdn.microsoft.com/en-us/library/hh243641.aspx
http://msdn.microsoft.com/en-us/library/hh243647.aspx
http://msdn.microsoft.com/en-us/library/windows/apps/hh465098.aspx
The next problem is the token you'll get from Live Connect will be in JWT (JSON Web Token) format. I'm not sure if you can request a different token format from live connect, but if your WCF service authentication is WIF based, it most likely expects SAML tokens. JWT is a rather new token format that WIF doesn't yet support so you would have to configure a WIF SecurityTokenHandler on your service that understands JWT tokens. The third link above has some code for reading JWTs, which is a start at least.
How to implement authentication security in WCF?
Means if any user is registered, than only be able to use service.
One way:-
Like, a mobile application at the time of installation update unique key with application Database.
So when client tried to connect with WCF service and if the key match then only be able to connect with service.
I want to know is there some other way to prevent unauthorized access for service?
You can read through this link Programming WCF security.
Read this link to Implement CustomUserNamePassword Authentication
You can configure your bindings to perform CustomUsernamePassowrd Authentication where you validated if the username and password are valid and if so you grant access to the service else deny.