I am trying to build a simple scenario so that I can control an endpoint "on/off" using Kaa, but I need to know how can I auth the endpoint ? I mean how can I manage that some specific end point that is being controlled ?
Also is there any way so that I can identify a point and then allow/deny the connection from the EP to Kaa ?
Thanks
For details of endpoint authentication please refer to the Endpoint provisioning and registration
documentation. You can use internal credentials service
to allows connection to Kaa cluster only to specified list of endpoints whose credentials were previously provisioned to Kaa server.
To control your endpoint by your server-side applications read about Server-side EP profile and Endpoint-groups features.
Related
I am currently working on a few services that uses keyvault, authenticating with ClientCertificateCredential / Registered Apps. These are running on-premise.
Looking into using Azure App Configuration in a similar way, combined with keyvault. So a couple of questions arises:
Can i authorize against App Configuration the same way as with KeyVault, using ClientCertificateCredential ? If yes, how ?
If not, another option is to use a connection string against App Config. However, this is a secret, and should be stored in keyvault (absolutely not in appsettings.json). That means I have to access keyvault before setting up App Config. Is there a clean way to do this ?
Or, perhaps there is something else I should consider.
• Yes, you can surely authorize against App configuration as you do against key vault to retrieve client secrets, connection strings and other sensitive information with the help of managed identities. Managed identities create a service principal for the said application when enabled depending on the user to be assigned to that application or directly to the application itself as a system assigned managed identity that is created for the lifetime of that application.
By leveraging managed identity, it eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.
• For more information on configuring managed identity to access the application configuration without exposing or leveraging any type of access token, please refer to the documentation link below for more details: -
https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core5x
I'm using Microsoft Graph API to access data from my Azure AD, including adding and updating users.
Is there any way I can limit access to the Graph API based on the client's IP? So that requests originating from a specific IP or an IP range will be served, and the rest will be blocked?
As far as I understand, Graph API deployment https://graph.microsoft.com is a public API that is protected by Azure AD. As long as you have a valid access token you are able to call the API and do what the access token says you are allowed to do regardless of where you are. This means access restriction can only be done at Azure AD level during authorization.
If you apps are user interactive then you can try using Azure AD Conditional Access Location Condition.
For daemon apps that run on server-side, this case may not apply because they run behind your trusted networks in most cases.
could you pls. advice me how to setup an API which has an endpoint already using oauth2 for authentication/authorization?
Is it possible to disable oauth2 in WSO2 for 1 endpoint only?
Thanks a lot.
In WSO2 3.1.0 version, what you could do is before publishing the API, go to the resource section, from their select the resources, and disable the security from there. publish it again
This should solve your problem
Please see the link Remove security only for some requests wso2 api manager in which the publisher has disabled the security for one of the APIs, you try disabling for all the APIs under that endpoint
No. If you are accessing the API published on WSO2 API Manager, you must have the Wso2 API Bearer token to access that API. You cannot disable it for one endpoint.
Reference to invoke APIs :
https://apim.docs.wso2.com/en/next/learn/consume-api/invoke-apis/invoke-apis-using-tools/invoke-an-api-using-the-integrated-api-console/
Currently, we are building a web-based application, and we have web-server and we have application server host our resources. Also we will use Mule ESB to be able to use any web-service or api. And we will have Alfresco DMS solution and we will use alfresco service with Mule ESB .
We are investigating how we can implement SSO approach for this scenario. We have already IdentityServer4 for identity federation. It issues access token for client, and we need to authenticate the user whenever the user at the Mule ESB side without asking user the credentials again.
According to my researches, external Identiy provide can be added on Mule ESB. The thing we do not is that can the access token issued the cliet while user logging into application server be passed to Mule ESB and Mule ESB can validate the access token before
Actually, the question that we are looking for answer is that is it possible issue client an access token only for once, then validate this token in each side (Mule ESB, Alfresco) without asking user to enter the credentials again and again.
Using access token for multiple applications is not recommended. This is highlighted through this and this resources. Basically scope of the access token must be restricted. This is to precent access token being misused.
In your scenario, you have multiple applications. If you goal is to use one access token shared across all of them, I suggest not to do that. Instead, you may use single access token against multiple APIs given that you request access tokens with such scope. For example, APIs in ESB can be designed to accept access tokes if scope allowed to do so (scope can be validated from API endpoint through token introspection). But allow each client app to obtain their own tokens. This make your architecture more secure.
One solution for SSO is to allow browser based SSO. Identity providers maintain a session in the browser. So if one of your client go through a login, your next client will use that previous session to skip the login page. This is essentially a SSO behavior. For example this is what allows you to use Gmail, Youtube and Google Drive with single login. Browser maintain a session with Google. Each app obtain tokens, but skipping login page.
Do we really need to mandate X-IBM-Client-ID header while exposing OAuth authorize and token endpoints via IBM API Connect product?
We have different types of grand types for OAuth based API. This IBM Documentation may help you understand the different types.
If the API is designed to be confidential or public. The consumer needs to provide client id and client secret of the subscribed application.
We have three types of OAuth flows in API Connect
Application Flow (Required client Id and Client Secret - mandatory)
Password flow (Required Client Id mandatory)
Access Code Flow (Not mandatory)
Those are used in administrative calls like /issued
(not for regular calls like /token)
you need special client credentials that were created by the provider organization (inside api manager) and will accompany in the request a client id to query. (which permissions were given to a certain client by a certain resource owner)