I need to expose some APIs through wso2 api manager, but with three important features:
Some APIs need 3-legged oauth access control;
The oauth authentication must be made through an identity provider already configured in wso2 identity server;
Need to give the resource owner the ability to manage (list and revoke) subscribed applications
Can anyone give me some tips to achieve this scenario?
Configure Three Legged flow with OAuth 1.0a.
Refer http://tharindue.blogspot.com/2015/04/three-legged-oauth-10a-playground_23.html for more details
If IS as KeyManager is configured on APIManager, Identity Server is the Identity Provider.
When a developer create an application on API Manager Store, he has manage permissions to that application. All other subscribers use the key and secret pair, has subscribe permission only.
For additional informations:
http://wso2.com/library/articles/2016/05/article-the-benefits-of-integrating-wso2-identity-server-with-wso2-api-manager/
https://docs.wso2.com/display/IS460/Authorization+Code+Grant+Type+with+API+Manager
Related
I'd like to setup an integration with a third party vendor for which I have to provide services, which need to be customer-aware.
The main flow is on the third party, that already have a service provider and an identity provider; the third party service provider then have to call my service, but then I need to check the authentication, for which I would like to rely on their identity provider, gaining so also access to the user identity (name, mail, other data).
basic flow
Does a flow like this can work? Do I have to receive the authentication infos cookie? Are other ways for which I can integrate with the third party identity provider?
Current web standards would likely dictate OIDC, especially if you want your service to be open to direct consumers as opposed to, or in addition to enterprise users. Were I building something today, I would choose to build out only OIDC, because it doesn't limit the Identity Providers I may want to use. In addition to enterprise, you could consider social logins as well, such as Facebook, Google, etc. If your users are ONLY enterprise users, then yes, you could consider SAML.
The identity data is usually returned to you in a JSON Web Token, or JWT.
I would suggest looking at OIDC implementations on your favorite stack, or look to a cloud provider.
In our organisation we use the Google Kubernetes Engine (GKE) to implement a micro-service architecture. As we are also G-Suite users, everyone in the organisation is guaranteed to have a Google account. In consequence we would like to use those accounts to manage authentication and authorization of micro services.
We have prototyped login using the angularfire2 client to authenticate against the Google Identity Platform. We also have Google Cloud Endpoints configured to control access to relevant services.
The piece we are missing is how to get from the identity in Google to an access token we can use on our services -- the access token coming back using the Firebase API has no claims in it, and the documentation on custom claims seems to make it quite clear that these go into the identity token.
My expectation would be to have JWTs with the appropriate audience (our backend), containing a sufficient set of claims to implement role based access control within the services. Ideally the infrastructure could validate a claim already -- some of our services are small enough to require only one role, which could be enforced outside the service. Or we could annotate our endpoints (Protobuf) with the required claims.
In the GCP environment, what is the standard process of creating access tokens to be used for accessing GKE services? Is there anything that supports this?
The piece we are missing is how to get from the identity in Google to
an access token we can use on our services -- the access token coming
back using the Firebase API has no claims in it, and the documentation
on custom claims seems to make it quite clear that these go into the
identity token.
Google OAuth Access Tokens do not have an identity in the sense that you want to use it. Identity is stored in the Identity Token. Add the scope "email" when authenticating the user. Google will return an ID Token. For some frameworks, you can request custom claims for the Identity Token.
In the GCP environment, what is the standard process of creating
access tokens to be used for accessing GKE services? Is there anything
that supports this?
There are two types of access excluding methods such as API keys. User Accounts and Service Accounts. Service-to-service typically uses service account Access Tokens (RBAC) or service account Identity Tokens (IBAC). In your case, you want to use Identity Platform which means User Accounts.
If I was designing this system, I would use User Accounts to authenticate with the system - Firebase is great for this purpose. I would look up what roles this identity supports/allows from my database (Firestore) and create a service account Access Token with the required scopes for GCP services. I would then use this Access Token for GCP service-to-service authorization. If I also required custom roles for my own services, I would create a custom Identity Token with my custom roles and include that as a custom HTTP header and include the Google Access Token in the standard HTTP "authorization: bearer" header. I would use the service account private key to sign my custom Identity Token or use a GCP IAM API to sign for me so that the other end can verify with the service account's public key. This method prevents data leakage at the client, no private keys are distributed, scopes/roles are not disclosed, etc.
I would suggest you follow this doc of authentication between services by using service account files.
I am using in-memory DB for storing user details in WSO2 Identity server. I create couple of users via UI and now I want to authenticate those user using some external application.
Is there any available WSO2 service which takes User credentials and authenticate based on the details provided? I saw few articles where they mainly talking about User Stores. But there, I think, they directly connect to DB to compare the credentials.
There are multiple ways to authenticate a user from Identity Server. Easiest way is that you can call the admin service (SOAP service) for authentication (RemoteUserStoreManagerService/authenticate). Or you can create a OAuth application inside the IS and use resource owner grant type to pass the credentials and authenticate.
You can find admin service related information from here [1] and password grant related information from here [2]
Is there any available WSO2 service which takes User credentials and
authenticate based on the details provided?
I believe we've misused the Token API service ( /token with password OAuth profile) to request an OAuth code and the WSO2IS effectviely validates the user's credentials.
I suggest your application would stick to some authentication and authorization standards supported by the WSO2IS, such as OAuth 2.0 or SAML.
I'm building an API that my public mobile app (xamarin forms) will call to get information. However to delimit the users of the API to just my app for security reasons, I want the public mobile app (xamarin forms) to pass a key to be able to call the API. Is basic authentication the best option then ? Or is there another approach ?
You can use any Auth based mechanism in your web api project. The best would be the latest Identity 2.0 using Owin.
OAuth is an open standard for authentication, and enables a resource
owner to notify a resource provider that permission should be granted
to a third party in order to access their information without sharing
the resource owners identity.
In your Xamarin client project (mobile app) use the Xamarin.Auth SDK to authenticate your users. It provides many features and also helps you to scale and use Social authentication as well.
Xamarin.Auth is a cross-platform API for authenticating users and
storing their accounts. It includes OAuth authenticators that provide
support for consuming identity providers such as Google, Microsoft,
Facebook, and Twitter.
The authentication flow when consuming an OAuth identity provider is as follows:
The application redirects a browser to an identity provider URL. The
URL query parameters indicate the type of access being requested.
The identity provider handles user authentication, and returns an
authorization code to the application.
The application exchanges the authorization code, client ID, and
client secret for an access token from the identity provider.
The application uses the access token to access APIs on the identity
provider, such as requesting basic user data.
The application uses the OAuth2Authenticator and OAuth2Request classes, provided by Xamarin.Auth, to implement the application side of the authentication flow.
The detailed explanation of Authenticating Users with an Identity Provider
Using the Xamarin.Auth component for authentication implementing is available here.
I'm using Azure ACS for authentication to my Web API project and it's working great with IP's such as Google and Live. I have a requirement to allow third party (partners) to develop against my API but I'm not exactly sure how to authenticate them. I'm thinking I may have to write a custom STS and manage usernames and passwords for each partner. In this scenario the partner would request an access token from my custom STS via a username/password and than use that token to access my API. Also I see Azure ACS has Service Identities, I'm wondering if I can use them in order to authenticate to my API?
Yes, you can.
Create Service Identity with authentication by x509 certificate
Create Rule Groups with rules where mapping Service Identity Name to selected claim
In your application in Relying party applications check new Rule Group in Authentication Settings.