I started using Alfresck SDK (All in one) the latest version. I am trying customise authentication in Alfresco. I configured a new authentication using documentation: authentication but I want to provide JWT Token base authentication.
When I try to pass through a http header: Authorization: Bearer mytoken - it is cought by BasicHttpAuthenticatorFactory from child class RemoteUserAuthenticatorFactory and it says that it is not supported.
How to pass my own bearer token and then invoke: public Authentication authenticate(Authentication authentication) throws AuthenticationException method? I does not see documentation for adding new own servlet filters.
Assuming you are running a 5.x version (4.something may also work) of Alfresco and your Servlet container supports the Servlet 3 spec (Tomcat 7 shipping with Alfresco 5.x is fine), then you can add a Servlet filter by following the spec - annotation or web-fragment based.
Not quite sure about your scenario, but I added OAuth authentication to Share w/o leveraging the Servlet API. Wired a custom Authentication Component into the chain and added a bunch of tweaks (LoginController etc.) to Share
Related
I'm building a web application; the frontend is a SPA using Angular8 and the backend is an ASP.NET Core 3.1 Web API.
The application already has its own authentication scheme, setup using JWT Bearer tokens.
Now I need to add the ability for the backend to sync events on the Office365 calendar of the users. The requirements are:
Users should login to their Microsoft Office365 account on the frontend;
The frontend should "save" the results of the authentication on the backend, allowing the backend to periodically interact with the Micosoft Graph API.
In the (rare) case for some reasons the authentication must be renewed (for example different rights/scopes are required), the backend will notify the frontend that a new login is required.
I am currently able to perform a successful login in example applications using MSAL.NET and msal-angular, but what I cannot do is to pass the result of the authentication I get from msal-angular to .NET and use it to proceed with further calls and token renewals.
I am thinking about modifying/extending the msal-angular library to support the MSALv3 cache serialization scheme used in MSAL.NET and sending the cache to my web app, but it seem a very complicated and fragile (I see the internals of those libs are not stable across versions).
So, is this use case supported in some other way by MSAL? Should I use some different libraries?
You can go through the following docs to see if they are helpful in your scenario.
Acquire and cache tokens using the Microsoft Authentication Library (MSAL).
Single-page application: Acquire a token to call an API
Get a token from the token cache using MSAL.NET
Initialize client applications using MSAL.NET
Background: The only experience I have with authentication are normal form-based logins, the typical username, and password to a controller with a redirect or using JWT with a regular login. I would like to use Laravel Passport to achieve the same thing.
I need to create a SAAS app using Vue with Laravel Passport (Laravel 6x with Dingo API).
The app needs to be multi-user with roles and permissions.
I've read that the best methodology is to use the "Authorization Code Grant with PKCE" for a SPA.
The problem that I've run into is that my Vue app sets up the code challenge etc. Requests the authorization code, then gets directed to the Laravel log in page, but as soon as I log in, I get the following screen:
Is there any way to bypass this? (I tried using a custom client with skipsAuthorization, but that doesn't seem to work)
Am I using the correct OAuth flow?
In the Laravel Passport documentation, there are the following:
Password Grant Client: This requires a secret though, so I don't see how I can use this?
Implicit Grant Tokens: This is now discouraged and should not be used.
Which only leaves Personal Access Tokens. But is that the correct "flow" to use?
PKCE should be used according to RFC 8252. I guess a stand alone public SPA can be considered in the same terms as a native app, in that there is no way to store a client secret.
Section 6 requires that both clients and servers use PKCE for public
native app clients. Authorization servers SHOULD reject
authorization requests from native apps that don't use PKCE by
returning an error message, as defined in Section 4.4.1 of PKCE
[RFC7636].
I've read the RFC above and it helped me wrap my head around it. I think the documnetation for PKCE in the Laravel docs are a bit strange (assuming a PHP client for example).
As you said, implicit grant tokens is not recommended anymore (RFC 8252 #8.3):
The OAuth 2.0 implicit grant authorization flow (defined in
Section 4.2 of OAuth 2.0 [RFC6749]) generally works with the practice
of performing the authorization request in the browser and receiving
the authorization response via URI-based inter-app communication.
However, as the implicit flow cannot be protected by PKCE [RFC7636]
(which is required in Section 8.1), the use of the Implicit Flow with
native apps is NOT RECOMMENDED.
I've setup a SPA with a working PKCE-flow. I created a new client model which I then use to skip the dialog you mentioned above.
AuthServiceProvider:
<?php
namespace App\Providers;
use App\Passport\Models\PkceClient;
use Laravel\Passport\Passport;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
/**
* The policy mappings for the application.
*
* #var array
*/
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',
];
/**
* Register any authentication / authorization services.
*
* #return void
*/
public function boot()
{
$this->registerPolicies();
Passport::routes();
Passport::useClientModel(PkceClient::class);
}
}
App\Passport\Models\PkceClient:
<?php
namespace App\Passport\Models;
use Laravel\Passport\Client as BaseClient;
class PkceClient extends BaseClient
{
public function skipsAuthorization()
{
return $this->firstParty();
}
}
As a sidenote it should be stated that the dialog should not be skipped for clients that is not trusted according to the RFC 8252 8.6
8.6. Client Impersonation
As stated in Section 10.2 of OAuth 2.0 [RFC6749], the authorization
server SHOULD NOT process authorization requests automatically
without user consent or interaction, except when the identity of the
client can be assured. This includes the case where the user has
previously approved an authorization request for a given client id --
unless the identity of the client can be proven, the request SHOULD
be processed as if no previous request had been approved.
Measures such as claimed "https" scheme redirects MAY be accepted
by authorization servers as identity proof. Some operating systems
may offer alternative platform-specific identity features that MAY
be accepted, as appropriate.
I'd like to create a new application based on HIPPO CMS and expose my custom business REST API in HIPPO HST(Delivery) application. On the other hand, application implemented with AngularJS will consume these REST API.
Right now I don't understand which authentication mechanism(out of the box with HIPPO CMS) should be used in order to get secure access from AngularJS application to secured Rest endpoints in HST.
Could you please describe how it should work and what an approach in HIPPO CMS should be used for this purpose ?
We have documentation on that. Default it is protected with basic authentication against repository users. You can also define a custom CXF JAXRSInvoker.
From our docs:
"By default the RepositoryJaxrsService will configure every REST endpoint to be basic authenticated against the Hippo Repository, using the provided username and password to (only) login to the repository. The authentication (and authorization, see further below) handling is configurable and overridable, per REST endpoint when using a CXFRepositoryJaxrsEndpoint builder. The authentication, and optional authorization, is handled by a custom CXF JAXRSInvoker providing pre/post processing of a request invocation. The default authentication is provided by the AuthenticatingRepositoryJaxrsInvoker, which enforces a repository login before proceding with the request handling. The CXFRepositoryJaxrsEndpoint builder allows configuring a custom JAXRSInvoker,"
I suggest you reference the documentation on the onehippo.org site. It has the latest information as well as historical references for previous versions.
http://www.onehippo.org/library/concepts/hippo-services/repository-jaxrs-service.html
I have a web api application which implements the Resource Owner Password flow from OAuth specification. Everything works correctly.
Actually I configure everything in my WebApiConfig class by using an Authentication filter like this
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add( new HostAuthenticationFilter( OAuthDefaults.AuthenticationType ) );
As some of my customer asked for a different method of authentication I am evaluating to add a couple of features to my services but stil did not have clear how those features can work together.
In particular I cam across a link which explain in very easy words how to implement a HMAC authentication in web api.
Can I implement this authentication method and let the client to choose which one he want to use? Do they can cohesist together?
Yes, your web api service can send back multiple schemes in the WWW-Authenticate challenge. In your case it can send back 'bearer' and 'hmac' for example.
See also this question for more info on using multiple schemes.
BTW, it's not your web api service that supports Resource Owner Password flow. The client uses this flow to get a token from the authorization server that it can use in a bearer scheme with your service (resource server). HTH.
I implemented a web service with JAX-WS, and my service client is implemented with JAX-WS too, and the client can talk to service with WS-Security username token profile authentication.
Now I want to deploy this service to JBoss 4.2.3 and want to replace the custom authentication with Java EE container authentication.
I read some documents on JBossWS, and did some configuration by changing/adding web.xml, jboss-web.xml, jboss-wsse-server.xml, login-config.xml. But JBoss always sent 401 response to the client (the client SOAP request contained correct username token profile header in it).
Any help is appreciated.
Is that possible to implement such requirement via JBoss configuration?
Or show me a simple example/steps for configuring JBoss for authentication with WSSE username token profile.
Or how can I debug what's the problem with my current JBoss configuration.
Answering my own question, here's a step-by-step tutorial available:
http://community.jboss.org/message/338347