I want to create a specification of an HTTP RESTful API in OpenAPI.
Since authorization and authentication are strict requirements and I don't have HTTPS security, it seems to me that the only available HTTP authentication scheme is HOBA (https://www.rfc-editor.org/rfc/rfc7486).
How do I describe HOBA with Swagger editor or e.g., Stoplight Studio or similar editor?
Related
My team used swagger for documenting REST API.
As a QA engineer I was able to generate rest client from swagger.json that was published on remote server upon deploy and use the client for REST API integration testing.
Now we are about to switch from swagger to Spring REST Docs.
QUESTION:
Is there a way to generate java rest client from Spring REST Docs like it was possible for swagger?
If yes - how to do that?
If no - are there any alternative ways to get/generate REST API client.
There's actually a Spring Rest Docs extension now that generates an OpenAPI 2/3 spec which you can then use to do additional things - like generate a client
https://github.com/ePages-de/restdocs-api-spec
We have use case where we need show user credential params such as username and password and based on user name value and password validation on backend side we have to render swagger APIs.
Not able to figure out how i can render swagger APIs based on result of authentication result.
Any pointer will be highly appreciated.
You didn't mention which version of swagger you are using, but it looks like there is support for protecting endpoints via some kind of authentication using Swagger 2.0 and 3.0.
From the 2.0 docs:
Swagger 2.0 lets you define the following authentication types for an API:
Basic authentication
API key (as a header or a query string parameter)
OAuth 2 common flows (authorization code, implicit, resource owner password credentials, client credentials)
From the 3.0 docs:
OpenAPI uses the term security scheme for authentication and authorization schemes. OpenAPI 3.0 lets you describe APIs protected using the following security schemes:
HTTP authentication schemes (they use the Authorization header):
Basic
Bearer
other HTTP schemes as defined by RFC 7235 and HTTP Authentication Scheme Registry
API keys in headers, query string or cookies
Cookie authentication
OAuth 2
OpenID Connect Discovery
Each of those sets of documents has links to examples and further documentation.
We are using Apache integration kit (modpf) for integrating web application with PingFederate as SP. We want to use PingFederate as OAuth server as well. Can we use same integration kit to validate access token generated by OAuth server?
or
are there any other libraries to do it?
One such library that I came across is mod_auth_openidc. Has anyone used it for validating access token?
You cannot use the Apache Integration Kit (OpenToken) to validate Oauth Tokens. They are completely different token types and formats.
However, Hans Zandbelt (from Ping Identity) actually wrote the mod_auth_openidc you link to and per its description, it does the following:
"It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server."
mod_auth_openidc can also be used to provide SSO for Apache websites based on OpenID Connect, and thus substitute the mod_pf module that that provides SSO based on the OpenToken format and protocol. A sample configuration doing both:
OIDCProviderMetadataURL https://localhost:9031/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID ac_oic_client
OIDCClientSecret abc123DEFghijklmnop4567rstuvwxyzZYXWUT8910SRQPOnmlijhoauthplaygroundapplication
OIDCRedirectURI https://localhost/example/redirect_uri/
OIDCCryptoPassphrase <password>
OIDCOAuthIntrospectionEndpoint https://localhost:9031/as/token.oauth2
OIDCOAuthIntrospectionEndpointParams grant_type=urn%3Apingidentity.com%3Aoauth2%3Agrant_type%3Avalidate_bearer
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthRemoteUserClaim Username
OIDCOAuthSSLValidateServer Off
OIDCOAuthClientID rs_client
OIDCOAuthClientSecret 2Federate
<Location /example/>
AuthType openid-connect
Require valid-user
</Location>
<Location /api>
AuthType oauth20
Require claim scope~\bprofile\b
</Location>
You may want to look at PingAccess for this need. It works alongside PingFederate to handle both browser SSO and OAuth access token validation use cases which may simplify your deployment.
It has benefits over an Apache module in that it allows for centralized administration of access control polices and centralized logout across different applications, which is a typical requirement in an enterprise environment.
For your question "Are there any other libraries to do it?". I take this to mean, is there anything else beyond mod_auth_openidc. There is another option. OAuth is a RESTful service to the PingFederate OAuth Authorization Server (OAS). If all you desire to do is validate the incoming Access Token, then you create a REST API call to the PingFederate OAS to validate the token. Within PingFederate you would need to configure an OAuth client for validation. You could integrate cURL within your application for the REST client and then call the PingFederate OAS. You would have to process the response based on your application or service requirements.
I'm writing a VBA client which needs to post to GitHub. I'd prefer to use Oauth2 for authentication to keep it in line with implementations in other languages.
When specifying the redirect_uri some oauth2 providers allow you to specify an out of band uri .. specifically
urn:ietf:wg:oauth:2.0:oob
Since the VBA app is not web based, I can't specify a real redirect_uri. Does anyone know whether the GitHub API can support some form of out of band OAUTH2 authentication like this, and if so, how to specify it in the GitHub Application console.
I understood how to write Running OAuth 2.0 code for the client side.
Using existing Authorization Server, like Google, seems to be not too complicated.
Question is: How to implement my own Authorization Server?
Since many companies have their own User/Privilege system, LDAP based (e.g. Active Directory), etc. - they must have their own Authorization Server.
Is there a framework, libraries, etc. for that? Or do I have to write the code from scratch?
The best reference is the OAuth 2.0 site. They list the available server libraries that you can use. Currently, the options are:
Java
Apache Oltu
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
PHP
PHP OAuth2 Server and Demo
PHP OAuth 2.0 Auth and Resource Server and Demo
PHP OAuth 2.0 (AS with SAML/BrowserID AuthN, with management REST API, see DEMO)
Python
Python OAuth 2.0 Provider (see Tutorial)
OAuthLib (a generic implementation of the OAuth request-signing logic) is avaliable for Django and Flask web frameworks
Other
NodeJS OAuth 2.0 Provider
Ruby OAuth2 Server (draft 18)
.NET DotNetOpenAuth
Erlang Oauth2 Server framework
I would also highly recommend that you read all the documentation available on how the standard works before getting started. There are many parts to OAuth and it can get confusing. At least, that's how I feel.
Check out OpenAM by Forgrock. With little work you should be able to get a java based OAuth authorization server running.
http://openam.forgerock.org/