I am trying to authenticate the communication between two backend services using google oAuth server. It looks like Google does not support Client Credential Grant, rather it provides Service Accounts.
Is there a way I can achieve client credentials grant using Google Auth Server? Can I use Service Accounts to communicate between services outside Google Cloud?
Related
I used Serverless to create API gateway endpoints + lambda functions. I want to secure API gateway endpoints using the access token oAuth. I am trying to provide credentials (sign up and sign in) in my iOS native app. Here are the facts I learned.
I want to secure my API gateway using OAuth and access token.
Because I have already created API gateway endpoints and lambda functions, Signup and Sign in using Amplify is not the best idea. I can't use Amplify's access token in the API gateway because in the Cognito user pool (under App Client Settings) I have selected Authorization Code grant (instead of implicit which is not that secure and client credentials are for the machine to machine) type OAuth flow.
I have in app Sign up and Sign in UI and don't want to use Hosted UI.
I want to authenticate and authorise users of my app.
My question is:- Can I use the Authorization code grant type without using Hosted UI or web browser? i.e. make a rest call with username and password and get the Authorization code. Once I get the Authorization code then make a call to the token endpoint to get the access token. Once I get the access token then call API gate with that access token. All of the above natively without using a browser or hosted UI.
Thank you very much in advance.
We have an application hosted on AWS using Cognito Service, with Azure AD acting as the Identity provider. The solution works great with username and password, authenticating against the Cognito user pool.
We now need the above to work for service-to-service call scenario.
The unattended scheduled service will call another service (all hosted in AWS) but will need to authenticate with access token.
I was thinking of using client credential flow. But I could not find an approach which will work for the above scenario (i.e) client credential flow with Cognito using Azure AD as Identity provider.
When I go Azure AD Application Registration and view the endpoints, the oauth2/token endpoint shows up, but I have not figured out how this will work with Cognito.
Does any one know how to implement this?
In cognito if you use client credentials flow, there will not be any federated Identity provider involved. There will be no users so no need to use Azure AD to generate tokens. You will make the access request using Client Id and Client Secret and will be granted an access token that you can use.
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
I'm working on OData/webAPI service implementation. PowerBI desktop app will be used to retrieve info from the service using odata feed datasource.
Service in protected by Azure B2C auth. Accessing odata endpoints using browser works fine - after signing in access is granted. But when I'm trying to connect to the feed using powerbi desktop by performing signin attempt, it reports that token source is not trusted.
picture related: sign in error
Also, in case of single-tenant Azure AD auth (not B2C) usage, authentication in PowerBI worked though.
So, is there a possibility to make PowerBI work with Azure AD B2C (to make it trust the token source)?
No, Azure AD B2C does not issue tokens which Microsoft first party services recognize. AAD B2C is used to protect you own services which you supply to your own customers.
If you would like your customers to have self service sign up, and access Power Bi resource, then have your front end web app talk to a backend API. Protect the front end and backend with AAD B2C. That backend API should use client_credentials to authenticate via AAD endpoints to access Power Bi data on behalf of the user.
I have an Asp.Net Core 2.0 Web API running as a web app in Azure. My API is consumed by client applications which are windows service running on servers at various client sites. So, this is a "Daemon or Server Application to Web API" communications flow as described in Authentication Scenarios for Azure AD
I register the client application at each site as a separate unique app in Azure AD, obtain the ClientId and AppKey and send it to the respective site for their devs to use in their service to request a JTW access token from Azure AD to use in the authorization header when making an http request to my API.
This is all working just fine.
The question I have is this; is there any way, in this scenario, that I can identify which site is making the request? From what I understand, it doesn't seem like I can add custom claims to an OAuth2.0 access token, like can be added to an OIDC ID token.
If you register the apps yourself then you know all the client ids for each different site so your API could use the appid in the JWT access token (which is the client id) and cross reference it against a list of sites. Here is an example of a JWT token obtained using the client credentials grant type:
Background
I'm looking into securing a selection of APIs for a client. I'm pretty familiar with the Auth0 offering and quite confident that it will serve me well as an auth provider.
The APIs will be deployed on GCP (Google Cloud Platform) and I've been looking into using Apigee to manage the life cycle of my APIs.
Question
Does Apigee offer an auth store for users similar to what Auth0 offers or is Apigee's OAuth implementation limited to application level authentication using Consumer Key and Consumer Secret as described here?
Apigee OAuth implementation is not limited to Consumer Key/Secret (client credentials grant) but you also can implement different OAuth grant types. Apigee can generate/validate JWT and it's own opaque tokens.
The problem is that Apigee does not provide Identity Provider (IdP) service, it means that it does not have a store for user credentials. You may utilize Apigee's BaaS (Backend-as-a-Service) to store users or integrate Apigee with other IdPs, but there's no built-in solution to authenticate users.