I am using WSO2 Identity server and WSO2 API Manager to manage access. I want to ensure role based access control to APIs using oauth2 scopes and authorize end-users to access my APIs based on their roles. For this purpose, I have to expose my APIs on the api manager and create a SPA for users authentication before accessing the APIs. I have many users (developers, publisher, customer, agent,etc)
To do this, I first configured wso2am-3.2.0 with wso2is-km-5.10.0 using the following guide.
https://apim.docs.wso2.com/en/latest/install-and-setup/setup/distributed-deployment/configuring-wso2-identity-server-as-a-key-manager/#step-1-download-prepackaged-wso2-is-as-a-key-manager-wso2-is-km
To perform role based access control to APIs for developers, I created scopes to API and assign scopes to roles. I'm able to generate an access token for each scope but the roles validation is not performed and all my users whatever their roles can access to my APIs and access was not restricted by users roles. When I tested role based access control to APIs with the default integrated key manager of the API manager (https://apim.docs.wso2.com/en/latest/learn/api-security/oauth2/oauth2-scopes/fine-grained-access-control-with-oauth-scopes/), it is working normally but the integration of WSO2 identity server as key manager leads to this behavior.
Did I missed any setup in the WSO2 identity server or API manager for roles validation when accessing to an API with a given scope?
I can get an access token for each scope as follows:
{
"access_token": "x",
"refresh_token": "x",
"scope": "view_item",
"token_type": "Bearer",
"expires_in": 3600
}
We can use below API to generate token based on scopes associated with user role.
https://localhost:9443/oauth2/token
Related
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔
Also, it only allowed me to request an access token when using .default for a scope, i.e. api://web-api-client-credential-flow/.default.
I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?
What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?
It would seem I would have to use application permissions?
Yes, you have to use application permissions.
Scopes aka delegated permissions only apply when a user is involved in the login process.
They allow you to act on behalf of a user.
Application permissions are sort of roles given to the application itself.
They only apply when doing client credentials authentication, where no user is involved.
You can define application permissions on the app via the Manifest in the app registration.
These can then be assigned to the client application.
When getting the token, you must use .default because you cannot change your app permissions dynamically.
You always get what has been granted already.
In the token the permissions will be in a roles claim.
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:
Then you can provide the client app permission:
Now when requesting a token with a scope of api://web-api-client-credential-flow/.default the "scopes" are returned in the roles claim. Sample JWT
Yes, you need to use api://web-api-client-credential-flow/.default for client credential flow.
And the application permissions will be returned in roles instead of scopes.
I have a web application that is leveraging Keycloak for IdM.
I am using the Resource Owner Password Credentials or Direct Grant flow for authentication which uses REST API calls to /auth/realms/{realm}/protocol/openid-connect/token instead of browser redirects to get the user a JWT.
I would like to implement a similar workflow for signing users up.
Looking at the Keycloak documentation it appears the Keycloak Admin API exposes an endpoint for this at /auth/admin/realms/{realm}/users.
To allow clients to interact with the Keycloak Admin API you have to create a client service account and associate it with a keycloak role with sufficient privilege to manage realm users.
The expected approach for this seems to be to apply the manage-users realm specific role to the client service account. This is more permissions than I would like to grant to the client.
Is there a way to grant a client service account just the ability to create new users and not the full set of permissions that comes with manage-users?
I am asking a question conceptually here as I am trying to understand the relationship between scopes and user roles in an OAuth2 based system.
As I am implementing an API, I want to restrict access to specific resources by using scopes on the resources. I understand the use of access tokens to request resources, and I believe my understanding to be correct in that you specify your scope(s) when requesting the access token.
What I am not entirely sure of is how restriction of scopes would work based on specific roles that an authenticated user is in. Let's assume Bob is an admin and Sue is a regular user. We have some resources protected by an is_admin scope. What stops Sue from requesting (and receiving) is_admin scope in her access token?
I am thinking that what should happen is the following:
Bob authenticates.
Bob's roles are looked up after his authentication is complete. His "admin" role has the "is_admin" scope attached.
Bob asks for an access token with all the scopes collected from his various roles
Bob is automatically given those scopes for his access token
Is it up to my calling app to enforce only sending asking for the scope Bobs needs? Or is there something I am missing with regards to scopes?
Can someone please enlighten me with some simple examples?
In OAuth2, there are the following roles:
Resource owner - usually some person
Auth provider - the OAuth2 server
Resource server - an API that requires an access token and validates its scopes
Client application - application requesting an access token with some scopes.
To understand OAuth2, it's necessary to think about it as a protocol for access rights delegation from a Resource owner to a Client application. So the main use case is: the Client application wants to access the Resource server. In order to do that, the Client application needs an access token issued by the Auth provider and authorized by the Resource owner (which gets authenticated by the Auth provider).
In your description, the Client application is missing. Let's assume it's a frontend application for your API. It needs an access token with scopes admin-user-scope or regular-user-scope. So it redirect a user (Resource owner) to the Auth provider, requesting both scopes.
The Auth provider authenticates the user and asks him/her for a consent on granting some of the requested scopes to the Client application. The Auth provider may remove some scopes - for example the admin-user-scope for non-admins. The Auth provider may give the user a possibility to remove some scopes too.
The Client application receives an access token (or a grant) with scopes in a redirect URI. If the granted scopes differ from the requested scopes, the Auth provider sends a list of granted scopes (the scope URL parameter) along with the access token, so the Client application knows what actions it can perform with the access token.
Then the client application may access the Resource server and the Resource server makes sure that the provided access token contains required scopes. The Resource server uses the OAuth2 introspection endpoint to validate the token and to get a list of its scopes.
I use WSO2IS as an OIDC provider for authentication and authorization. Using Authentication Code grant, I got the access-token. I need to authorize the users to access specific services based on their roles.
I tried to use XACML to solve this, but I found that I need to pass base64 encoding of username:password in the header of REST API XACML request. Instead is there any way I can authorize the user to access services based on their roles, using access-token ?
This part of authorization happens in the resource server. I thought I could use the introspection endpoint to authorize the user based on the access token using scopes. But I don't understand how scopes can be used to provide access control to the users ?
To get an access token with all scopes available to a user, the OAuth2 client must request all scopes it cares about and the token will contain only those that the user has access to. See this question.
Yes, it's cumbersome, but OAuth2 is primarily an authorization delegation protocol - it allows users to delegate some of their rights (scopes) to a client.
Alternatively, if you could decide permissions based on roles, you could probably get a list of user roles from an ID token.
Microsoft Graph API provides App-only authentication scheme, which works perfectly for the tenant that owns an application.
I have an Azure tenant and I created the application inside it following documentation guide. My application is now able to obtain an access token using https://login.microsoftonline.com/<tenantId>/oauth2/token endpoint, which allows me to query the Graph API for the users inside my tenant.
However, I would like my application to be able to obtain access tokens for other tenants as well. I suppose the external tenant owner should somehow insert my application inside their Azure tenant, apply certain app-only scopes and provide me the tenant id in order to query the token endpoint.
Is multi-tenancy possible for app-only authentication scheme?
How does the tenant owner insert my application into their Azure tenant?
Multi-tenancy for app-only is possible, however, in order to enable this you require two things:
You need to have a web UI for the tenant admin to sign in to and perform admin consent in order to, as you called it, "insert my application into their Azure tenant." Make sure you add the query string parameter &prompt=admin_consent.
More info on admin consent: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devhowto-multi-tenant-overview/#understanding-user-and-admin-consent
Sample controller method that "signs up" the user for an app via admin consent:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect/blob/master/TodoListWebApp/Controllers/OnboardingController.cs#L33-L58
You will need to keep track of which tenants consented to your application so that you can enabled the code that runs the app-only flow for them. Unlike the delegated flow, you can't use the common endpoint (https://login.microsoftonline.com/common) but rather need to use the tenant specific endpoint for each instance or run of the app only flow.