I'm having an IAM (Keycloak) setup for SSO on my multiple first-party apps. Let's assume one of the first-party apps is Stock Manager. This app has an API server where a user can CRUD SKUs and products. Each product can have a name, description, sku, price, etc.
Then there is a third-party app SuperAwesomeManager which is just a server that has a cronjob running to fetch data of multiple users from Stock Manager.
The situation is I want to allow a SuperAwesomeManager only to access products with a sku as MY_PROD_SKU_1. How this can be achieved using keycloak as IAM? Just remember SuperAwesomeManager is running on a server and doesn't provide any UI and also can't share user credentials with SuperAwesomeManager.
One option is to create a confidential client for SuperAwesomeManager. The cron job will get an access token by logging into the confidential client with the clientid and secret, then call the API on Stock Manager using the access token.
You can use a mapper to add a claim to the access tokens created by the confidential client which indicates the token only has access to MY_PROD_SKU_1. Your API on Stock Manager must look for said claim in the access token and act accordingly.
Related
Do we really need to mandate X-IBM-Client-ID header while exposing OAuth authorize and token endpoints via IBM API Connect product?
We have different types of grand types for OAuth based API. This IBM Documentation may help you understand the different types.
If the API is designed to be confidential or public. The consumer needs to provide client id and client secret of the subscribed application.
We have three types of OAuth flows in API Connect
Application Flow (Required client Id and Client Secret - mandatory)
Password flow (Required Client Id mandatory)
Access Code Flow (Not mandatory)
Those are used in administrative calls like /issued
(not for regular calls like /token)
you need special client credentials that were created by the provider organization (inside api manager) and will accompany in the request a client id to query. (which permissions were given to a certain client by a certain resource owner)
I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.
I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".
The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.
However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).
I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.
The API Management product expects a "subscription key" to identify the products the third party implementation can use.
Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?
It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?
Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?
Apologies if I have mixed any terminology up.
1) Does this mean with regards to the authentication part that every
third party system using my API would use the same oAuth "audience" id
and therefore the same Active Directory app?
They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.
2) It makes more sense to me that each third party implementation
would have a different app on Azure Ad but that would mean my Web API
would need to recognise a huge number of audience ids and redirect
uris?
Yes they should register their applications as clients to your B2C Auth server.
The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.
Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.
That should result in a token with:
aud value of the Application ID associated with https://yourwebapiAppIDURI/
scp value of Read
OK, so B2C doesnt use consent:
Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.
I'm now trying to separate monolithic application into microservices (dedicated rails app's) and wanted to know - is there a solution to move authorization service from each service?
For example, I have 6 different Rails API services with 'knock' gem that have user model for authentication purpose.
All those services sharing one user database.
I want to implement dedicated service with user model, but how other services will verify users with given tokens?
Also I want to able to control what services user can and can't use. So there should be AccessRole service?
Draft case:
User go to 'articles' (frontend UI client)
auth_service is validating token from client
access_service got message from auth_service somehow and validating user's role to access 'articles' resource.
articles_service send response to client with json data.
Here some more questions:
How access_service will communicate with auth_service? Should they use one user database to verify user's credentials and role?
articles_service and so on - should they become private services without access to public and act as black boxes to user?
I have been playing around with this problem and there are not any good documented solutions out there. What I would do is build a service which managers the Users and your Access Control List (ACL).
Identity Service - This is where the client will authorize itself for access to the other services in the API.
login [POST]
email
password
This will return a JWT token that in the payload section will have the following information:
User Id
ACL
The ACL could be an array of the allowed roles they have. This way when the client makes a request to the API the service responding to the request can introspect on the User ID (Knock - current_user) and then you can get the ACL from the payload. Very easy I think to then add a before_action to verify the appropriate role.
Currently, I have a running application with a bunch of customers and custom servlet API.
To have a possibility to integrate my app with app of my partner I need to implement REST API and OAuth 2.0 flow.
And am on my way to integrate WSO2 API manager in my environment for these needs.
Desired flow is on the picture - api flow
And to say it verbally:
User already registered in my APP
User registers on partner's APP
In order to use services of my app user is required to authorise himself on my app (oauth 2.0 authorization code flow is used) from partners app
Partners app can interact with my app via REST interface with help of user access token.
Is there possibility to register only one consumer on WSO2 API Manager side (My Partners app) and provide client secret and password only to my Partner, but not to each user?
Currently, I have one registered consumer to provide tests.
And each time when I make requests for authorization code for this test consumer with it's client secrets - I receive the same code.
From this behavior, I understand that it is needed to issue client secrets on API manager side for each end user and not just for partners App. achieve.
For Oauth 2.0 authorization code flow it is needed to provide only one client_id and client secret for partner.
In order to authorize end users at WSO2 API manager side and provide unique access_token's for end users - WSO2 API manager should have access to the User table of database.
In the User table there are login/encrypted_password values for end users are stored.
My client application allows to connect to several third party data sources to obtain data from, and JIRA is one of them. Oauth in my client application is handled in such a way that for each data source, it accepts constant values for request token url, access token url, authorization url, client ID and secret and obtains an access token. From the JIRA OAuth example, the first 3 values are dependent on the BASE URL. Is the BASE URL always different for each company/business that uses JIRA? However, values for these fields are constant for Twitter, Facebook etc.
Also, what configuration changes should the company admin who has a JIRA account that wants to allow access from my application have to make? Should each business admin configure an application link to allow access from my application?