I'm developing a POC for integration testing of IBM worklight adapters. In doing so I'm using RESTAssured framework. I have an adapter having security test applied to it.
XML Snippet:
<procedure name="getCatalog"
securityTest="SingleStepAuthAdapter-securityTest" />
For authentication I have another adapter:
<procedure name="submitAuthentication" />
In my test I'm calling SubmitAuthentication adapter and then I'm calling getCatalog adapter. This is returning me following error response:
Runtime: The resource 'proc:SampleHttpAdapter.getCatalog' should only
be accessed when authenticated in realm 'SingleStepAuthRealm'.
Below is the test case i'm executing:
public void testGetCatalog() {
Response response = RestAssured.given().get(BASE_URL.concat("SampleHttpAdapter&
procedure=submitAuthentication¶meters=[\"worklight\",\"worklight\"]"));
String sessionid = response.getSessionId();
Cookie cookie1 = new Cookie.Builder("JSESSIONID", sessionid).build();
System.out.println("cookie value" + cookie1.getValue());
RequestSpecification spec_two = new RequestSpecBuilder().addCookie(cookie1)
.setSessionId(sessionid).build();
Response catalog_response = RestAssured.given()
.spec(spec_two)
.get(BASE_URL.concat("SampleHttpAdapter&procedure=getCatalog¶meters=[]"));
String catalog_json = catalog_response.asString();
System.out.println(catalog_json);
}
As per the response it seems like the authentication is not persisting in my request of getCatalog. How can i do so ?
Without knowing how your adapter procedures are written it is difficult to investigate the issue above. Can you please include the adapter procedures of submitAuthentication as well as getCatalog?
I can include to you a sample and tutorial Worklight proivides on adapter based authentication that will describe in great detail how the authentication process works. You can even use this project as a basis, since it accomplishes single step adapter authentication. Use the mechanisms it provides with authentication and add in your getCatalog method for testing.
Adapter Based Authentication Presentation:
http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v610/08_03_Adapter_based_authentication.pdf
Adapter Based Authentication Project:
http://public.dhe.ibm.com/software/mobile-solutions/worklight/docs/v610/AdapterBasedAuthenticationProject.zip
Related
Im working in a hybrid mobilefirst 6.3 app, and i want to access to an adapter previous to my login, is there a way that i can do that? because every time that i want to access my adapter the handleChallenge method occurs.
application-descriptor.xml:
<android version="1.0" securityTest="NevadaApplication-strong-mobile-securityTest">
my adapter config xml:
<procedure name="getPhoneNumber" securityTest="wl_unprotected"/>
Because you have set a security test also on the application level, meaning on the environment in application-descriptor.xml, you will get hit with a challenge handler despite having the adapter procedure set with a security test set as wl_unprotected.
To achieve what you're looking for you will need to add security tests to your adapter procedures (with the one you want unprotected as wl_protected), and leave the environment without a security test assigned to it in application-descriptor.xml.
Read more on security tests here: https://www.ibm.com/developerworks/community/blogs/worklight/entry/understanding_predefined_worklight_authentication_realms_and_security_tests11?lang=en
Read more on the different authentication options here: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-6-3/authentication-security/authentication-concepts/
I'm trying to make a simple example of a connection to a WS (JAX-RS), when I call from the browser, I should return a string but I get the following error message:
missing_authorization, this is the URL to access the resource (REST):
http://localhost:10080/PruebaWSProject/adapters/MyAdapter/users/pramirez
When I test it directly from MobileFirst Studio using "Call MobileFirst Adapter", it works perfectly.
It seems to be a problem with HTTP authentication, apparently I have to set something in the XML file server: authenticationConfig.xml, but I do not know what I have to put and I read the following in a web:
Disabling the authentication requirement for a specific procedure.
You can do so by adding the securityTest="wl_unprotected" property to the element in the adapter XML file.
I do not know how to turn off the security to call the resource to obtain the chain. The name of the classes generated by the Java adapter are: MyAdapterResource and MyAdapterApplication.
Java Adapters are protected by default.
When you use "Call MobileFirst Adapter", a test token is automatically added to help you preview.
If you want to test your adapter outside of the wizard, you have 2 main options:
Disable security by adding #OAuthSecurity(enabled=false) before your procedure code (in MyAdapterResource). Keep in mind that your procedure will no longer be protected. See Protecting Adapters.
Generate a test token manually. You can request a test token which you will add to your HTTP headers. See In Postman
The instructions you saw regarding securityTest="wl_unprotected" are for JavaScript adapters, not Java.
I am trying to create a Web API that allows the API's clients (native mobile apps) to login using a 3rd party cloud storage provider. I'm using the following general flow from Microsoft:
Here is what I am trying to achieve:
I am using the default ASP.NET Web API Visual Studio template with external authentication, along with the OWin.Security.Providers Nuget package for Dropbox login functionality, and the existing built-in login functionality for Google (Drive) and Microsoft (OneDrive).
The issue I'm having is that the built-in functionality all seems to do the authentication and authorization as part of one flow. For example, if I set up the following in Startup.Auth.cs:
DropboxAuthenticationOptions dropboxAuthOptions = new DropboxAuthenticationOptions
{
AppKey = _dropboxAppKey,
AppSecret = _dropboxAppSecret
};
app.UseDropboxAuthentication(dropboxAuthOptions);
... and navigate to this url from my web browser:
http://<api_base_url>/api/Account/ExternalLogin?provider=Dropbox&response_type=token&client_id=self&redirect_uri=<api_base_url>
I am successfully redirected to Dropbox to login:
https://www.dropbox.com/1/oauth2/authorize?response_type=code&client_id=<id>&redirect_uri=<redirect_uri>
... and then after I grant access, am redirected back to:
http://<api_base_url>/Help#access_token=<access_token>&token_type=bearer&expires_in=1209600
... as you can see the token is part of that, so could be extracted. The problem is that the client needs to be the one navigating to Dropbox and returning the authorization code back up to the Web API, and the Web API would send the authorization code back to the third party to get the token which would then be returned to the client... as shown in the diagram above. I need the ExternalLogin action in the AccountController to somehow retrieve the Dropbox url and return that to the client (it would just be a json response), but I don't see a way to retrieve that (it just returns a ChallengeResult, and the actual Dropbox url is buried somewhere). Also, I think I need a way to separately request the token from the third party based on the authorization code.
This post seems a little similar to what I am trying to do:
Registering Web API 2 external logins from multiple API clients with OWIN Identity
... but the solution there seems to require the client to be an MVC application, which is not necessarily the case for me. I want to keep this as simple as possible on the client side, follow the flow from my diagram above, but also not reinvent the wheel (reuse as much as possible of what already exists in the OWIN/OAuth2 implementation). Ideally I don't want the client to have to reference any of the OWIN/OAuth libraries since all I really need the client to do is access an external url provided by the API (Dropbox in my example), have the user input their credentials and give permission, and send the resulting authorization code back up to the api.
Conceptually this doesn't sound that hard but I have no idea how to implement it and still use as much of the existing OAuth code as possible. Please help!
To be clear, the sample I mentioned in the link you posted CAN be used with any OAuth2 client, using any supported flow (implicit, code or custom). When communicating with your own authorization server, you can of course use the implicit flow if you want to use JS or mobile apps: you just have to build an authorization request using response_type=token and extract the access token from the URI fragment on the JS side.
http://localhost:55985/connect/authorize?client_id=myClient&redirect_uri=http%3a%2f%2flocalhost%3a56854%2f&response_type=token
For reference, here's the sample: https://github.com/aspnet-security/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Mvc/Mvc.Server
In case you'd prefer a simpler approach (that would involve no custom OAuth2 authorization server), here's another option using the OAuth2 bearer authentication middleware and implementing a custom IAuthenticationTokenProvider to manually validate the opaque token issued by Dropbox. Unlike the mentioned sample (that acts like an authorization proxy server between Dropbox and the MVC client app), the JS app is directly registered with Dropbox.
You'll have to make a request against the Dropbox profile endpoint (https://api.dropbox.com/1/account/info) with the received token to validate it and build an adequate ClaimsIdentity instance for each request received by your API. Here's a sample (but please don't use it as-is, it hasn't been tested):
public sealed class DropboxAccessTokenProvider : AuthenticationTokenProvider {
public override async Task ReceiveAsync(AuthenticationTokenReceiveContext context) {
using (var client = new HttpClient()) {
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.dropbox.com/1/account/info");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.Token);
var response = await client.SendAsync(request);
if (response.StatusCode != HttpStatusCode.OK) {
return;
}
var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
var identity = new ClaimsIdentity("Dropbox");
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, payload.Value<string>("uid")));
context.SetTicket(new AuthenticationTicket(identity, new AuthenticationProperties()));
}
}
}
You can easily plug it via the AccessTokenProvider property:
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions {
AccessTokenProvider = new DropboxAccessTokenProvider()
});
It has its own downsides: it requires caching to avoid flooding the Dropbox endpoint and is not the right way to go if you want to accept tokens issued by different providers (e.g Dropbox, Microsoft, Google, Facebook).
Not to mention that if offers a very low security level: since you can't verify the audience of the access token (i.e the party the token was issued to), you can't ensure that the access token was issued to a client application you fully trust, which allows any third party developer to use his own Dropbox tokens with your API without having to request user's consent.
This is - obviously - a major security concern and that's why you SHOULD prefer the approach used in the linked sample. You can read more about confused deputy attacks on this thread: https://stackoverflow.com/a/17439317/542757.
Good luck, and don't hesitate if you still need help.
I have a question about the connectAs="endUser" option, found in the adapter XML file.
In the design mode I can read
- endUser: The connection to the back end will be created with the user's identity, as authenticated by the authentication realm
So my question is: Does it have sense to use the option connectAs="endUser" without being authenticated and without defining a security test?
I am having this question, because I used to put the connectAs="endUser" in the authentication procedure
<procedure name="authenticate" connectAs="endUser"/>
Is that wrong?
So as you can see in the documentation using connectAs="endUser" is "Only valid if a user realm has been identified in the security tests for this procedure."
Here are some resources you may want to look into:
procedure element of the adapter XML file
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr__procedure_.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
The authentication element of the HTTP adapter
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/index.jsp?topic=%2Fcom.ibm.worklight.dev.doc%2Fdevref%2Fr_the__authentication__element_o.html&resultof%3D%2522%2563%256f%256e%256e%2565%2563%2574%2561%2573%2522%2520%2522%2563%256f%256e%256e%2565%2563%2574%2561%2522%2520
Can you please provide your scenario to how you would like to use this setting in greater detail
I've created a WCF webservice, that can dynamically call other webservices/db connections with DLL's loaded with .LoadFile('from assembly'). Inside one of these assemblies, another webservice is called dynamically with a passed in network credential as follows:
WebClient client = new WebClient();
client.Credentials = this.networkCredential; //This credential is passed in
RequestStream requestStream = client.OpenRead(this.url);
//rest of code. The .OpenRead is giving 401 error (not authorized).
When I do this in debug mode from a test console application and creating the network credentials as follows:
NetworkCredential networkCredential = new NetworkCredential(<userid>,<password>,<domain>);
this works fine.
The failing code is providing networkcredentials as follows
System.Net.NetworkCredential networkCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
Any help would be greatly appreciated.
Unless you are using impersonation, DefaultNetworkCredentials attempts to use the credentials of the process running your ASP.NET website, not the credentials of the user accessing your site. In order to use the credentials of the user, you should wrap your call to the web services in an impersonation context.
var impersonationContext = HttpContext.Current.Request.User.Identity.Impersonate();
if(impersonationContext != null)
{
//call your webservice here. DefaultNetworkCredentials will be what you expect.
impersonationContext.Undo();
}
There are, of course, conditions. The user must be authenticated (can't be an anonymous user, unless the anonymous user also has access to your web service). Also, the code above is just an example - in production code there are quite a few other things to consider. Here is an msdn article that should help get you started.
FYI, the reason it works in development is most likely because your development server process runs as you, and since you have access to the web service, it succeeds.