Have you tried integrate Kong with Azure Active Directory Authentication in kong?
What about it?
I've found this documentation ... but I am not sure if LDAP can to be applied with Azure Active Directory.
LDAP Authentication
LDAP Authentication Advanced
At this moment I am looking for it, but I think that LDAP does not apply to Azure Active Directory ... doesn't it?
I think, that to use kong to control access via multi-factor authentication to resources or automate user provisioning between a Windows Server AD and our cloud apps or add SSO (allowing it to work with a user's pre-existing credentials) maybe could I to use kong-openID auth plugin or Kong OAuth 2.0 Introspection plugin in order to use Azure Active Directory like a third party Authorization Server?
My intention is how to protect the Swagger API backend using kong and Azure, and in this way
I've read somethings like this, but I don't find any relation of AAD itself with kong or some external API different to API Management instance service that they offer to their users
Could to be I wrong in my considerations here?
Is possible really work with kong authentication and authorization process and third party Auth servers like Azure Active Directory in my case?.
In this line, Could to be Kong OAuth 2.0 Introspection plugin a good alternative to follow?
Related
This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:
admin: username/password registration
client: Facebook/Google/username&password registration
Based on the user's role each of them has a specific action to which he's authorized.
From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).
I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?
I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.
Your gateway shouldn't be responsible for handling authentication.
One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.
It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.
https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html
By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.
For api security, after moving to #Kubernetes, you can use Envoy or similar solution
For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.
I'm using spring security saml to implement SSO. For testing, I used ssocircle as idp. But now, I want to control authenticating by myself, that means, can I build idp host on my local by using spring security (user info will be stored in my database).
Note: OpenAM is not my expectation.
It is not advisable to build your own IDP because it is a complicated process, even if you use a library like opensaml, your best option would be to install Shibboleth Idp, there are many tutorials online, some on the shibboleth.net website and some on other websites. These two are very good tutorials:
1- https://books.google.ie/books?id=AeBaAQAAQBAJ&pg=PA3&lpg=PA3&dq=Investigation+and+implementation+of+Shibboleth+SSO+authentication+mechanism&source=bl&ots=g6A_kstwJ2&sig=Nr4AR6WKillYyIl5UQaUszkTDB8&hl=en&sa=X&ved=0ahUKEwibtvL51tvJAhUI_A4KHb18DUYQ6AEIKTAB#v=onepage&q&f=true
2- https://tuakiri.ac.nz/confluence/display/Tuakiri/Installing+a+Shibboleth+3.x+IdP
I know that it is possible to log into Gitlab with external providers such as Github.
However, I was wondering if Gitlab's oauth can be used to authenticate users to my application?
Is there an oauth endpoint that I can use?
It should be possible since the suggestion "Oauth system for third party application" seems completed with GitLab 7.7 (which is to be released)
It would be powerful to have an oauth authentication system with application management like Github.
If this feature appear on Gitlab, developers would be able to create many third party applications like Travis-CI or Scrutinizer who can Interact directly with a "Gitlab Connect" system, same as Github or Bitbucket.
We should manage authorization scope too (profile view / edit, group access, projects access etc...).
GitLab team (Admin, Gitlab) responded · Dec 22, 2014
Completed In GitLab 7.7
See the diff between GitLab 7.6 and 7.7 and:
commit ed932d8
commit f9ece12
February 2016 edit, complementary links:
GitLab as OAuth2 authentication service provider
GitLab as an OAuth2 client
Doorkeeper, what GitLab uses to implement OAuth
Note: with GitLab 13.11 (April 2021)
Register OAuth applications at the group level
Group owners can now register OAuth applications for a group.
Previously, OAuth applications could only be registered by individual users or at the instance level.
Making this functionality available at the group level reduces the administrative burden for instance administrators and removes the dependency on individual users for the configuration of OAuth applications.
Thanks to the amazing work from GitLab contributor Jonas Wälter from Siemens, this feature is now available in 13.11.
See Documentation and Issue.
No, it is not. Currently the only supported scope is api which gives the authentication client full access to everything in the user's name. See https://gitlab.com/gitlab-org/gitlab-ce/issues/22323 to track progress.
Am new to ADFS and LDAP, our project is mixed of technology mongoDb, nodeJS and rails. we are planning on deploying mongodb, Nodejs or Rails on Windows Azure, as LDAP is been used for active directory on ruby.how LDAP used in window azure. is there any performance change in using ADFS in ruby compare to LDAP in ruby. if yes, how can i implement ADFS on RUBY
Is anyone know how its possible. thanks in advance.
Is your LDAP server going to stay on-premises? Just to be clear, ADFS is not equivalent to LDAP. ADFS is a "Security Token Service" (STS). LDAP is a Directory.
Since you mention ADFS, presumably your apps will authenticate users on (on-premises) Active Directory. ADFS can only authenticate users on AD, not on arbitrary directories.
To connect your node.js and ruby app to ADFS you would need to implement either WS-Federation or SAML Protocol. These are the 2 protocols supported by ADFS. You can read more about it here.
Alternatively, you can implement your own STS and connect it with whatever you want (ADFS or LDAP). If you do this, then you have more control on what kind of protocols to implement in your app (e.g. OAuth2 or something else). It seems there are more libraries you can leverage compared to WS-Fed / SAML.
There are many open source STSs you can look at. IdentityServer is one of them, and people have successfully built solutions on it. You will have to host this yourself.
Another alternative is to rely on a 3rd party service like Auth0 (which is available on the Windows Azure store). (Disclaimer: this is a product I'm working on).
I am currently developing a distributed application using Ruby, Ruby on Rails, Sinatra and pure Rack web services.
I will have few services (RESTful , not SOAP based) which will communicate using JSON and I would need a way to secure and verify the identity of each of those services during the communication between them, so no one could pretend to be a service and make requests to the other services.
The core idea is to treat other services as "users" and be able to verify their identity and limit their access to data if necessary.
So the question is how to do this using only Ruby and how to manage effectively the service identities and their access rights.
Should I build some additional authentication service usable by the services ?
Should I build internal gems to provide some connection middleware with keys/shared secrets ?
Is there maybe some other way to do this?
I would generate an application id and secret that you could pass with each request. Since you are not dealing with other users and just applications try looking into authentication tokens with devise.
I think OAuth is a protocol that is commonly used for web service - to - web service runtime authentication, especially with RESTful APIs.