Is it possible to publish an API using krakenD API gateway?How is API-key supported by KrakenD API gateway ?
API-key is only supported in the Enterprise Edition. Open source users have JWT validation.
Related
I have created a Web API using .net core 5. I have secured the app using the Microsoft Identity platform. Clients app are able to get to the resource based on their scope/role. So I know that my api is secure.
Now, I need to add the API to Azure API Management tool.
So my question is should I enable OAuth from the Azure API Management to secure my web api even though my app is already secured?. What would be the reason that I enable OAuth from API management?
APIM is a proxy to the backend APIs and implementing security mechanisms to give an extra layer of security to prevent unauthorized access to APIs is a recommended practice.
Configuring OAuth 2.0 Server in APIM merely enables the Developer Portal’s test console as APIM’s client to acquire a token from Azure Active Directory. In the real world, customer will have a different client app that will need to be configured in AAD to get a valid OAuth token that APIM can validate.
OAuth is an authorization framework which allows a recognized client to acquire an access token from an authorization server.
As given in this Microsoft Doc, the Microsoft Identity Platform uses the OAuth 2.0 protocol for handling authorization.
Please find below references makes you how OAuth secures the Web APIs/Services:
OAuth 2.0 and Azure API Management
How does OAuth secure Rest API calls
Protect APIs using OAuth 2.0 in APIM
The rest API (https://cloud.google.com/identity-platform/docs/use-rest-api) support user sign up without request attribute, multiFactor : {enrolledFactors :[]}. It seems that the only way to enable multi-factor authentication is via NodeJS server as described here: https://cloud.google.com/identity-platform/docs/admin/manage-mfa-users.
Is this correct? NodeJS api must be relying on rest-api. So any reason, it will not work with a direct rest API call.
After further investigation, the restful API does let a client programmatically specify MFA attributes. The API is accounts.signUp.
https://cloud.google.com/identity-platform/docs/reference/rest/v1/accounts/signUp
could you pls. advice me how to setup an API which has an endpoint already using oauth2 for authentication/authorization?
Is it possible to disable oauth2 in WSO2 for 1 endpoint only?
Thanks a lot.
In WSO2 3.1.0 version, what you could do is before publishing the API, go to the resource section, from their select the resources, and disable the security from there. publish it again
This should solve your problem
Please see the link Remove security only for some requests wso2 api manager in which the publisher has disabled the security for one of the APIs, you try disabling for all the APIs under that endpoint
No. If you are accessing the API published on WSO2 API Manager, you must have the Wso2 API Bearer token to access that API. You cannot disable it for one endpoint.
Reference to invoke APIs :
https://apim.docs.wso2.com/en/next/learn/consume-api/invoke-apis/invoke-apis-using-tools/invoke-an-api-using-the-integrated-api-console/
There seems to be an inconsistency in the Slack API docs in that the OAuth flow requires a client_secret be provided as part of the exchange of the code for the OAuth token as documented at https://api.slack.com/methods/oauth.access
However the client secret then needs to be embedded into the mobile app which goes against Slack's recommendations at https://api.slack.com/docs/oauth-safety which states:
Your Client Secret should be treated delicately. It is how you securely identify your application's rights and identity when exchanging tokens with Slack. Do not distribute client secrets in email, distributed native applications, client-side javascript, or public code repositories.
Are there any best practices available in terms of how to manage this discrepancy where the client secret seems to be required for auth but at the same time should not be embedded into the mobile app?
Slack only supports the Authorisation Code Flow for OAuth2.0 but it doesn't support public clients only confidential clients. It doesn't support the PKCE flow either.
Their FAQ page suggests using the RTM API if you a re developing a mobile app:
I have generated a Client ID and Client Secret for my application using the Google API Console for my Java web application.
I want to generate an access token to be used in my application to authenticate a mailbox and read mails from there with the help of JavaMail API.
This link has some theoretical information but I could not understand how the tokens can be obtained.
Answer will depend upon where is application running as it determines how access token can be received:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 for Client-side
Web Applications OAuth 2.0 for Mobile & Desktop Apps
OAuth 2.0 for TV and Limited-Input Device Applications
There are different alternatives or libraries available to get access token depending upon the type of application and different specific mechanisms are defined around it.
So it will be then much easier to dive-in into the specific options available.