Is it possible to use the Gitlab OAuth2 API to write a service that consumes Gitlab resources from the Gitlab API without user interaction (i.e., using machine-to-machine communication)?
As far as I understand the OAuth2 protocol, writing such a service would be possible using the client-credentials flow (i.e., Client Credentials Grant). However, according to the Gitlab OAuth2 Provider API, only the following flows are supported:
Authorization code with PKCE
Authorization code
Resource owner password credentials
Did I miss something or does that mean that an application that I register in Gitlab as an OAuth2 Application can only fetch resources when an interaction with the end-user is involved?
Should I fallback to using group tokens in this case?
Related
I have an application set up as follows:
Angular UI -> Spring Cloud Gateway -> Spring Boot-based Service
I am attempting to authenticate my application against a limited Oauth SSO server with ONLY the following endpoints:
/authorize
/token
/userdata
The SSO does not provide an /introspect endpoint, nor does it issue JWTs.
What I would like to do is have Spring Cloud Gateway handle the authentication, but based on the result from /userdata, I would like to generate my own JWT to relay to the service.
My questions:
Is this possible?
If so, can someone give pointers or guide me to the resources that will get me started?
Spring Security OAuth2.0 Client and Spring Cloud Gateway combination works well in this case.
Client(Angular UI) requests to the Gateway service with OAuth2.0 login URL
The Gateway redirects the request to Identity Provider(Such as Google) login page.
After user login successful Identity Provider redirects the request to the Gateway with user info.
On Authentication success handler(Gateway service)
Parse user info and save it to somewhere
Create access token and refresh tokens. Set them to request cookies
Redirect to client(Angular UI)
I don't know the reason to pass the token downstream services at this point. If there is no specific requirement then I would implement all the security related operations on the Gateway service. Such as token generation, validation etc. This way new services can be easily added without concerning about authentication and authorization.
Here is a sample project.
Our apis are being consumed by 3rd party deamon applications as well as client applications. For third party deamon application we can expose the api via the client credential oauth flow and for the client application(S) we use the implicit grant outh flow.
The challenge we are facing is that in case of the implicit grant flow the user details are fetched from the ACCESS TOKEN. But when the same api is used for the client credential flow the user details can not be fetched from the ACCESS token as it has only application specific details.
What is the the best api design approach to handle the above challenge ?
Do I need two set of api(s) one for integrating with client application and one for integrating with server application ?
Will the usage of any alternative oauth flow help ?
Refer to Authentication scenarios for Azure AD documentation, as you stated correctly user interaction is not possible with a daemon application, which requires the application to have its own identity. This type of application requests an access token by using its application identity and presenting its Application ID, credential (password or certificate), and application ID URI to Azure AD. After successful authentication, the daemon receives an access token from Azure AD, which is then used to call the web API.
The quintessential OAuth2 authorization code grant is the authorization grant that uses two separate endpoints. The authorization endpoint is used for the user interaction phase, which results in an authorization code. The token endpoint is then used by the client for exchanging the code for an access token, and often a refresh token as well. Web applications are required to present their own application credentials to the token endpoint, so that the authorization server can authenticate the client.
Hence, the recommended way is two have two version of api implemented with two different type of authentication based on your scenario.
Reference -
Daemon or server application to web API
Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)
I have a project in which there are several microservices which are secured using spring oauth2.I have published these services on WSO2 API Manager and disabled the oauth2 feature of WSO2 as my services are already secured using spring oauth2.Now when I access my services published on WSO2, using token of spring oauth2 i get in response either status code 0 "no response" or status code 403 unauthorized.What could be the issue here.
The WSO2AM (API Manager) authorizes the clients using the OAuth protocol and the backend services should trust the WSO2AM providing service authorization.
The API MAnager is not able (by default) validate the tokens of your backend services.
As far I know WSO2 AM clears the "Authorization" header to the backend services. (correct me when I am wrong).
your options:
Setup a proper environment, where APIM is used to authorize users. The APIM can send a JWT token to the backend services with user identity and attributes and the backend service will validate and trust the APIM JWT token containing user identity and attributes. I really suggest you stick to the way how APIM works and not try to force it working other way
If you really must using your own OAuth tokens, you could send the authorization token in different header (which will not get cleared)
You could create a custom mediation flow to to re-enter the authorization header into the request (I am not sure if you will need to update the exposed api mediation flow too or not to skip the default authorizer).
We are already using CAS for single sign on for several web applications that we are hosting. Now we are going to deploy several HTTP/REST services in our network and those need authentication and authorization.
Would it be a good idea to combine CAS with OAuth ?
Users would still use CAS for SSO, but additionally login procedure would issue OAuth ticket that would be used to access REST services.
REST services can be protected via CAS proxy authn. Additionally, they can be integrated with OAuth. CAS provides both OAuth and OIDC protocol functionality as well.
That's certainly valid. OAuth 2.0 doesn't specify/dictate how the user (Resource Owner) is authenticated and CAS/SSO is fine for that. Effectively you'd be leveraging a CASified Authorization Server so that the Resource Owner authenticates with CAS to the Authorization Server, which is "just" an application to the CAS SSO system. The Authorization Server would then issue an access token down to the Client so that the Client can use that access token to access the protected resources i.e. the REST services.
I'm trying to create an application that allows an authenticated user to create OAuth2 bearer tokens for use with APIs published by the organization. The idea is to allow the user to self generate / revoke such tokens, similar to GitHub's Personal API tokens. The user can then use the issued tokens to gain programmatic access to protected resources exposed by the same organization.
This application requires:
A UI to authenticate a user and allow the user to generate and revoke tokens
A server-side RESTful API that allows user authentication and token generation, revocation and storage
Ideally this application would be stateless and not require sessions, using a SPA.
Some questions surrounding the implementation:
Should the exposed API be the #EnableAuthorizationServer /oauth/token endpoint using the Resource Owner Password Credentials Grant type? If so, is it insecure to expose the Client Credentials to the UI? Can this be avoided?
Should the API expose a new, dedicated endpoint which directly calls AuthorizationServerTokenServices? If so, how might this be achieved?
Is there a reference implementation using Spring Boot and Spring Security OAuth2?
Any suggestions or references would be greatly appreciated.