I have a existing application built in ASP.NET. This application has REST APIs. We are wanting to expose these APIs via API connect platform. Now, since our APIs are already authenticated, if we use IBM API connect, then how will end user authenticate to our API and API consumer authenticate via IBM Developer portal?
Lets say our API clientA logs into our developer portal, creates an app and then subscribes to our API. Now when end users try to access our API "VIA ClientA", we need to authenticate the request.
I tried to follow this tutorial http://www.ibm.com/support/knowledgecenter/SSFS6T/com.ibm.apic.toolkit.doc/task_apionprem_redirect_form_.html
But it does NOT get redirected to our external URL.
Please help!
The API gateway (part of API Connect) establishes and enforces authentication between the API end-user/subscriber and your outbound API service running on API Connect. The gateway acts as a service proxy to authenticate potentially many subscribers to a particular API plan (made up of one or several APIs), using API keys that are generated as new subscribers onboard to that plan. The management and enforcement of those API keys is accomplished entirely within API Connect. Nothing is required on your part, except the initial setup parameters for each API.
For that same API, the back-end authentication between API Connect and your existing REST API endpoint is different: it is the same for all end-user subscribers. Every time an end user calls an API they have previously subscribed to, they must first authenticate to API Connect using their unique key (since their usage must be tracked, billed and possibly limited). Once authenticated to the API gateway, all subscribers invoking usage instances for this API will be authenticated to the same API endpoint using the same authentication scheme and credentials as created when setting up the API.
Their are several choices of back-end authentication schemes when using external API endpoints. See this tutorial for more information and links to further resources:
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.toolkit.doc/tutorial_apionprem_security_OAuth.html
Related
I currently have an API that I am opening up to our business partners to call, and I want it secured with OAuth.
I've set up an Azure API management (consumption plan right now) that points to our API in azure.
I can call it and get valid results in the test console.
So I was following the Microsoft documentation for this, and it had me :
Register my backend API in app registrations;
Register a client app in app registrations;
In azure AD grand the permissions for this client app;
Configure the APIM with a validate-jwt policy.
So now my APIM is returning a 403 as expected.
My question is this. I do not know the clients that will be using this API. Or rather, do I HAVE to register a client app registration? Or can I leave that part out, and just provide the URLS that I have for the OAUTH side, which are like :
https://login.microsoftonline.com/GUID/oauth2/v2.0/authorize
https://login.microsoftonline.com/GUID/oauth2/v2.0/token
I am very new to Oauth and APIM, so I am not even sure how all this works.
But it seems odd that I am registering an app for a client, when I have no information on them or how they are calling my API.
I kinda get that I need to know who is requesting the token and authorizing. But the clients will be using a javascript snippet that we give them to embed on their site, so I dont really know what their site is like, what their URL is or anything.
Hope that makes sense.
The client registration is what represents the entity (web app, mobile app, etc.) that requests for tokens from Azure AD for your API.
The docs walk you through a process where the developer portal is registered as the client.
The snippet in your case would also require a Client ID (of an app) to fetch the token with. For this, you would have to register a new app registration and share the Client ID as part of the snippet.
I am building a microservice project in which I need certain clarification on what to do in these situations:
for centralized authentication and authorization or centralized authentication on API gateway, every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice. So how can I handle those situations?
I will be using specific tool for exploitation.
users will come through either web browser or mobile app. your api gateway will be exposed to external world. most of the apiGateway nowdays contains plugins for authentication and authorization. for example you can use OIDC plugin with api gatway to authenticate the users which will return JWT token to call the internal apis. you can refer below component diagram link for architecture diagram
I have an Asp.Net Core 2.0 Web API running as a web app in Azure. My API is consumed by client applications which are windows service running on servers at various client sites. So, this is a "Daemon or Server Application to Web API" communications flow as described in Authentication Scenarios for Azure AD
I register the client application at each site as a separate unique app in Azure AD, obtain the ClientId and AppKey and send it to the respective site for their devs to use in their service to request a JTW access token from Azure AD to use in the authorization header when making an http request to my API.
This is all working just fine.
The question I have is this; is there any way, in this scenario, that I can identify which site is making the request? From what I understand, it doesn't seem like I can add custom claims to an OAuth2.0 access token, like can be added to an OIDC ID token.
If you register the apps yourself then you know all the client ids for each different site so your API could use the appid in the JWT access token (which is the client id) and cross reference it against a list of sites. Here is an example of a JWT token obtained using the client credentials grant type:
Currently, I have a running application with a bunch of customers and custom servlet API.
To have a possibility to integrate my app with app of my partner I need to implement REST API and OAuth 2.0 flow.
And am on my way to integrate WSO2 API manager in my environment for these needs.
Desired flow is on the picture - api flow
And to say it verbally:
User already registered in my APP
User registers on partner's APP
In order to use services of my app user is required to authorise himself on my app (oauth 2.0 authorization code flow is used) from partners app
Partners app can interact with my app via REST interface with help of user access token.
Is there possibility to register only one consumer on WSO2 API Manager side (My Partners app) and provide client secret and password only to my Partner, but not to each user?
Currently, I have one registered consumer to provide tests.
And each time when I make requests for authorization code for this test consumer with it's client secrets - I receive the same code.
From this behavior, I understand that it is needed to issue client secrets on API manager side for each end user and not just for partners App. achieve.
For Oauth 2.0 authorization code flow it is needed to provide only one client_id and client secret for partner.
In order to authorize end users at WSO2 API manager side and provide unique access_token's for end users - WSO2 API manager should have access to the User table of database.
In the User table there are login/encrypted_password values for end users are stored.
One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.
I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:
If your iOS app is making calls to an Endpoint that requires
authentication, you must Add a Sign-in Dialog to your iOS client.
I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.
Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.
I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.
I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).
GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.
So until further notice I will add an API key to my application-level API requests and check it in each #ApiMethod.