I have a WCF service in which I issue a SAMLSecurityToken to an external client for authentication.
I need to make sure that the token was not intercepted by a third party when it comes back and is attempted to be used for service calls. Any suggestions on how to do this type of validation?
I'm currently doing the following validation on the token already:
Validating token is not expired
Validating token was signed by our server certificate
Related
I have ASP.NET Core RESTful APIs and protect them with JWT token issued from Azure Active Directory. Any client who wants to call the endpoints should first acquire a valid JWT token from the AAD and send that as a Bearer token. My API internally should call an external API (internal to the organisation) to query some information and return it to the user. The external API requires mTLS as its security protocol.
My questions
Can I still have my Bearer authentication scheme against my APIs and at the same time have mTLS enabled in my API so it can communicate with the third API?
From my understanding, in TLS which mTLS is an extension of it, the client should verify the server's certificate. Does that mean, with every incoming request I should check if it's presenting the certificate? If so, then what would happen to the Bearer authentication scheme then?
In my head, I was hoping that I can just append the certificate to the requests against the third-party API and that should be it but based on question number 2 I seem to be wrong about it.
I'm a bit lost here and appreciate any advice on this.
I found one interesting article that has this illustration:
It says that:
API Gateway verifies access token for all incoming requests via introspection
But what does this mean?
it says that gateway goes to authorization server and validates token (JWT).
why is that needed?
if gateway has authorization server's public key, it can check token validity using signature just like every backend service, why is introspection needed and how is it done?
Depending on your Identity provider it can be done either way but there are trade offs.
If you validate the token locally then yes it can use public keys to do that and that's very efficient way, however downside is that if the token or signing keys are revoked then your token is still valid. With Remote check you have to bear the http overhead but that is more reliable.
Normally tokens are kept short lived and validated locally. But if your access token are long lived, your application require strict access controls or library doesn't support local validation then it's a good idea to check them remotely
I believe you are looking at this document.
What I understood from this Secure API Gateway is that the gateway is responsible for introspection and the back-end services will only check the token signature, which is less secure than introspection, but still a layer of security.
Introspection is necessary to validate the token information against the Authorization Server.
This is more secure, because the system can ensure that the token received is not malicious, expired and it is from an known source.
The details on how it is done are explained in RFC 7662.
Yes, the gateway could validate the token signature if it has access to the certificate.
I can't really tell why they choose the back-end server to do it, probably a project decision.
API Gateway primarily meant for routing the incoming calls to the corresponding MicroService Clusters.
In addition to that,it can also play a role to validate the token, so that only valid traffic is routed to the downstream servers (filtering malicious traffic).
The level of validation could be up to the product owner/architect decision. It could be as simple as validating against the list of in memory cached token or in depth validation on set of claims, digital signature verification, expiry time, audience claim etc.
You can view the set of claims inside the token using JWT decoder like https://devtoolzone.com/decoder/jwt
I am trying to understand how JWT authentication is stateless. In stateful authentication, there will be a session id. Here there is a JWT token which is signed. So the authentication server issues the JWT token, but can I say the validation of the JWT token in subsequent requests are done by the endpoint server (application server) rather than the authentication server. I believe this is possible as JWT is signed with expiry date (and also some other information) and the public certificate of authentication server is available to all endpoint servers.
So the authentication server will be only responsible for issuing the tokens and not validation. The validation will be done by the endpoint server.
Is my understanding correct? Is this how JWT is made stateless? Otherwise, I don't see how it is different from a stateful authentication as both can be implemented using tokens.
In stateful authentication, the centralized server will be responsible for issuing the tokens as well as validation is each request.
JSON Web Tokens (JWT) are referred to as stateless because the authorizing server needs to maintain no state; the token itself is all that is needed to verify a token bearer's authorization.
JWTs are signed using a digital signature algorithm (e.g. RSA) which cannot be forged. Because of this, anyone that trusts the signer's certificate can safely trust that the JWT is authentic. There's no need for a server to consult the token-issuing server to confirm its authenticity.
Notice in this diagram that the Resource Server does not need to check back with the Authorization Server:
Source: https://jwt.io/introduction/
In stateless authentication there is no need to store user information in the session. We can easily use the same token for fetching a secure resource from a domain other than the one we are logged in to.
Refer : https://www.jbspeakr.cc/purpose-jwt-stateless-authentication/
I may have the wrong idea of how I should go about these things, but this is currently the case:
I have a WebApi service that accepts requests from Sharepoint Online (SPO), which have SAML2 token passed within. The SAML2 token is issued by SPO STS, and I will need to validate the token, and extract claims out of it.
My question is how do I validate the token? Is there a way to trust the STS somehow, so I can just verify the signature (possibly will have to decrypt the token as well) all in-place? If not, and I have to make another call to STS, what should be the endpoint to validate the token? I couldn't find much documentation on this.
If you're using O365 as STS or IdP and that provides the SAML2.0 Assertion to your service, then you have to get its X509Certificate (to verify the signature of received SAML2.0 Assertion) from metadata link: https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml.
Make sure you retrieve X509Certificate from EntityDescriptor-> IDPSSODescriptor-> KeyDescriptor use="signing" -> KeyInfo-> X509Data-> X509Certificate.
Is it safe to allow a third party client to create a valid JWT for our resource API? All the examples I've seen require we provide an authentication server for issuing the JWT to authorized clients.
I think you need understand the difference between resource server (RS) and authorization server (AS).
If you trust the third party client to do the token issuance and validation on your behalf, it is totally fine to delegate the token process to them.
With that said, the flow would be like this:
user-agent access your resource endpoint.
your security chain check if user has authenticated session, if yes, proceed the request.
if not, redirect user to third party authentication endpoint with token.
after successfully authenticate the user, callback to resume the resource access.
if failed, take the user to access denial page.