I use Kong as API Gateway for my services which should be OAuth-protected using the Client Credentials flow. Right now, I implemented this using the jwt-keycloak plugin. Everything's fine, I request an auth-token from Keycloak and pass it on with my request towards Kong. Works great.
But there is also the official OAuth2 plugin, and I try to find out what that OAuth2 plugin would to better for me in contrast to the jwt-keycloak plugin? What are the differences, or when to use which of these?
OAuth 2.0 Authentication Plugin is the equivalent of a Keycloak. Kong doubles up as an authorization server if you add the above plugin.
The plugin you are using - jwt-keycloak is more like a validator, that checks for the validity of the tokens issued by Keycloak before passing the request to the backends you host on Kong.
Related
If I generate sample empty project with default JWT auth Jhipsters seems to provide no generation for user accounts, is OAuth the only option with microservices for this?
Maybe you generated only a microservice, the JWT user-management part is generated in gateway only.
Have you tried integrate Kong with Azure Active Directory Authentication in kong?
What about it?
I've found this documentation ... but I am not sure if LDAP can to be applied with Azure Active Directory.
LDAP Authentication
LDAP Authentication Advanced
At this moment I am looking for it, but I think that LDAP does not apply to Azure Active Directory ... doesn't it?
I think, that to use kong to control access via multi-factor authentication to resources or automate user provisioning between a Windows Server AD and our cloud apps or add SSO (allowing it to work with a user's pre-existing credentials) maybe could I to use kong-openID auth plugin or Kong OAuth 2.0 Introspection plugin in order to use Azure Active Directory like a third party Authorization Server?
My intention is how to protect the Swagger API backend using kong and Azure, and in this way
I've read somethings like this, but I don't find any relation of AAD itself with kong or some external API different to API Management instance service that they offer to their users
Could to be I wrong in my considerations here?
Is possible really work with kong authentication and authorization process and third party Auth servers like Azure Active Directory in my case?.
In this line, Could to be Kong OAuth 2.0 Introspection plugin a good alternative to follow?
Is it possible to use Spring OAuth2 as a pure authorization solution while providing external authentication for it? Or is Spring OAuth2 even supposed to be used in such a manner? If yes then what are the injection points for that kind of configuration?
If your are familiar with Kong then it's basically how the OAuth plugin works:
here Login Webapp (which is responsible for authentication) is an external application to Kong OAuth.
We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server?
or
are there any other libraries to do it?
One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?
You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.
However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:
"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."
mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:
OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication
OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username
OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
<Location /api>
AuthType oauth20
Require claim scope~\bprofile\b
</Location>
You may want to look at PingAccess for this need. It works alongside PingFederate to handle both browser SSO and OAuth access token validation use cases which may simplify your deployment.
It has benefits over an Apache module in that it allows for centralized administration of access control polices and centralized logout across different applications, which is a typical requirement in an enterprise environment.
For your question "Are there any other libraries to do it?". I take this to mean, is there anything else beyond mod_auth_openidc. There is another option. OAuth is a RESTful service to the PingFederate OAuth Authorization Server (OAS). If all you desire to do is validate the incoming Access Token, then you create a REST API call to the PingFederate OAS to validate the token. Within PingFederate you would need to configure an OAuth client for validation. You could integrate cURL within your application for the REST client and then call the PingFederate OAS. You would have to process the response based on your application or service requirements.
I understood how to write Running OAuth 2.0 code for the client side.
Using existing Authorization Server, like Google, seems to be not too complicated.
Question is: How to implement my own Authorization Server?
Since many companies have their own User/Privilege system, LDAP based (e.g. Active Directory), etc. - they must have their own Authorization Server.
Is there a framework, libraries, etc. for that? Or do I have to write the code from scratch?
The best reference is the OAuth 2.0 site. They list the available server libraries that you can use. Currently, the options are:
Java
Apache Oltu
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
PHP
PHP OAuth2 Server and Demo
PHP OAuth 2.0 Auth and Resource Server and Demo
PHP OAuth 2.0 (AS with SAML/BrowserID AuthN, with management REST API, see DEMO)
Python
Python OAuth 2.0 Provider (see Tutorial)
OAuthLib (a generic implementation of the OAuth request-signing logic) is avaliable for Django and Flask web frameworks
Other
NodeJS OAuth 2.0 Provider
Ruby OAuth2 Server (draft 18)
.NET DotNetOpenAuth
Erlang Oauth2 Server framework
I would also highly recommend that you read all the documentation available on how the standard works before getting started. There are many parts to OAuth and it can get confusing. At least, that's how I feel.
Check out OpenAM by Forgrock. With little work you should be able to get a java based OAuth authorization server running.
http://openam.forgerock.org/