Securing Rest APIs - oauth-2.0

I have two set of RestAPIs used for same application developed on two different frameworks.
One on SpringBoot secured using OAuth 2. Second set of APIs developed on Jooby microframework of RestAPIs.
Since the services on Jooby are not secure how can i do that? So that both set of APIs are secured.
The Login is working in conjunction with SpringBoot App and OAuth 2.0 and same user credentials should be used for jooby apis as well. Does it make sense to put some sort of gateway common for both the set of apis?

Well, security is a broad topic and frameworks implement security guidelines and support when becoming mature. Even I don't have any prior experiences with Jooby, after referring their documents I found a couple of support libraries and extensions.
Moreover, you can follow this great Github repo as a checklist and implement what relevant to your context.
If you can provide more implementation details about your login, I can give a more specific answer. But it seems common gateway isn't really necessary and you can use authentication credentials such as tokens directly with your Jooby API's as well. See pac4j which is listed under Jooby documents.

Related

Open source cross domain authentication? Custom databases

So I have been looking into OAuth lately, I want to authorize another of my domain which has separate database using OAuth. Upon searching I found auth0.com. Which sounded similar to Oauth and I created a sample implementation, it offers support for custom databases also. We have users stored in external api running on .net core, and I learnt that auth0.com is not free after trial expiration. So my efforts kindof got wasted. Now I am looking for authorization method that works for both domains.
Now my question is, does it even make sense to use Oauth for this task? Since I won't be giving it to third party and it's matter of two databases. How should i approach this and what are opensource Oauth services that allow custom database.

New single page app needs to authenticate to legacy app using Shibboleth

I am creating a new React SPA. Users of a legacy app need be able to use the new app without re-authenticating. So I need to support SSO.
It's important to note that it is also required that users of other (currently unspecified) apps should also be able to use the new app without re-authenticating, so whatever approach I take needs to be sufficiently decoupled to potentially allow this.
The legacy app supports authentication via Shibboleth, the new app currently has no authentication method, but uses JWT for authorisation.
I'm wondering if anyone has any experience of such a scenario? It seems to me that I probably need to be create an OAuth2 authorisation server for the new app to talk to and I need to somehow bring Shibboleth into the mix for the authentication, maybe with the authorisation service acting as a Shibboleth Service Provider. Googling around hasn't revealed much useful info.
Is what I've described along the right lines? I know it's very high level and woolly, but I'm really not sure of the approach to take. Any advice, information or experience in this area would be gratefully received!
GOALS
It's a little bit of a subjective question, but the main goals are usually as follows:
Focus on building your UI and API security in a future facing manner
Also provide good Login Usability
Also deliver on non functional requirements such as availability / reliability
AUTHORIZATION SERVER
On the first point, the modern option is to integrate UIs and APIs with an Authorization Server - perhaps as in My Tutorial. Your architecture is then good, but the migration is not trivial.
FEDERATING TO SHIBBOLETH
The Authorization Server can then redirect to Shibboleth and talk SAML2.0 to achieve Single Sign On, as you suggest. It is a complex solution though, and may be a backwards step in some ways.
AVAILABILITY
This is usually a big concern, and most companies use a cloud provider such as Azure / AWS due to its high availability / low maintenance / low cost. Would this be a better option for you?

Can I use AEM as OAuth 2.0 client?

Does Adobe Experience Manager support OAuth 2.0 as a client? I mean AEM connecting with an external application which plays a role of authorization server and resource provider.
I could not find any examples of such usage - AEM is usually presented as an authorization server and resource provider for other client applications.
AEM provides an number of authorization integrations. Maybe you can switch to SAML, which works pretty good out-of-the-box. I once integrated AEM with Keycloak with good results (but using SAML).
Regarding OAuth most documentation is dominated by AEM as an OAuth provider. They integrated Apache Oltu (which is end-of-life anyway).
But AEM provides an OAuth client as well. But it needs a custom extension for each provider. Out-of-the-box are only implementations for Twitter and Facebook available. But there seems also Github and IMS (Identity Management from Adobe Managed Services) to be available.
Please check also Package Share. But I don't know what is available there. And you probably need support from Adobe, to judge the quality and usefulness of such packages.
If you have to implement your own Provider-Extension, the best starting point I found was here:
https://aemcorner.com/adobe-granite-oauth-authentication-handler/
You are basically free to build whatever you want, as AEM is basically nothing else but a Java application. But you might want to keep in mind, that the standard applications of AEM are delivering rendered HTML from the dispatcher in the end. You want to have as little load on the publishers as possible.
So, when authorisation of resources is a technical- or business concern, you might need to dive deeper into SPAs or at least async loading of resources as JSON.

Apache Syncope with OAuth 2

I am trying to find some information about using Apache syncope (Identity management system) with OAuth 2 authorization.
I see there is no implementation in AS yet as written here: https://issues.apache.org/jira/browse/SYNCOPE-534 so AS is "pure" Identity Manager - not directly involved in authorization operations like oauth 2.0
I have found I should use some Access Managers to implement such scenario.
What access managers should I use? Could you give some advice? thanks
On the page Access Managers you can see that there exist several ones, just not for OAuth 2.
For OAuth 2 an Access Manager had to be developed, perhaps it's possible on base of the existing ones.
Having a look at some commits concerning OpenID there exist the following list:
[SYNCOPE-1270] implementation for OpenID Connect for Admin Console and Enduser
[SYNCOPE-1270] OpenID Connect Logout implementation
[SYNCOPE-1018] self registration for OpenID Connect
It seems being mixed in core though, so probably it's impracticable to do it in the same kind as core can't be updated anymore without problems.
On the other hand, if you are willing to provide the new Access Manager directly to core-development it wouldn't matter, but then it's advisable to contact the core-developers on github first.
While REST might serve as interface for a separated module, the authentication process is technically explained as Provisioning Service.
In Extensions you get an impression which extensions exist and you'd to verify them to get knowledge how to solve your approach in an own extension. I'd chose perhaps SAML 2.0 Service Provider as it's also related to authentication.
Concerning OAuth 2 itself there exist a few implementations in github, regrettable only in PHP, but perhaps that helps you a bit.

Authenticating on two different backend servers

Due to requirement changes we need to add a node server to our already existing system. We will be using sails.js for the realtime communication part of the app and redis store for session management. But the confusion now is what is the best way to authenticate the client app/user on both servers with one login form.
Any help will be much appreciated.
Unless you have specific limitations or widhes, this sounds like standard requirement for SSO (Single Sign-On) implementation. OAuth is wide-spread standard in this area.
Ruby have implementations for this, see this repository for example
OAuth2 A Ruby wrapper for the OAuth 2.0 specification.
As for reading materials, you can check this article:
Single Sign On (SSO) for Multiple Applications with Devise, OmniAuth
and Custom OAuth2 Implementation in Rails
This tutorial may also help.
Then, you can implement OAuth in your node js server, and other services when needed.
Or detail your question and specific requirements or limits for other options. Meanwhile, you can check this SO question on other non-SSO options.

Resources