I am trying to configure two identity server in wso2is, one is google idp and other one wso2is itself. My requirement is if user select wso2 IdP they will be able to access user information from wso2 idp and if they select google IdP they will be able to access user information from google account. So my question is for both idp there are different API to generate access token, then how I can identify which IdP user selected so that I can generate access token.
So by understanding your requirements from you description
Here's how you can achieve what you want to do,
Create a google OAuth app and get it's client_credentials and client_secret. Register a callback_url such as "https://localhost/callbackGoogle"
Register the google idp as an IDP in WSO2 Identity Server, under federated authenticaters section of the IDP fill in the Google Authenticator with the details of the OAuth app created in Google
Create a service provider in WSO2 IS and enable OAuth inbound authentication. Register a callbackurl such "https://localhost/callbackWSO2"
Under the Local & Outbound Authentication Configuration section of the Service provider select Advanced option
Add the local and federated authenticater in step 1
Now register two servlets, one for callback url of googleIDP and other for the callback registered for WSO2 IS
Now you request for an access token from the service provider you will be redirected to a login page with two options ( Local IS or Google IDP)
Based on the IDP chosen to authenticate by the user one of the servlets will be hit and you can identify which IDP user used to authenticate easily.
[ 1 ] https://docs.wso2.com/pages/viewpage.action?pageId=49092446
Related
I'm developing a set of microservices exposed as REST through WSO2 API manager.
Now, I'd like to call these services in Angular front end. What is the best way to handle user authentication and authorization?
I found it can be done through OAuth2 Password Grant as described here?
When user logs in, user credentials will be sent to specific WSO2 APIM endpoint (/token), it validates, generates the token and this token will be sent in header for subsequent calls.
Is this the best approach to this case?
Thanks in advance,
As mentioned in your question, https://apim.docs.wso2.com/en/next/learn/api-security/oauth2/grant-types/password-grant/
This method will only work when you have the resource owner's username and password.
Take an example, suppose you have published the APIs and created a user (resource owner) in the WSO2 store. this user is subscribed to the API using the application. the application will have a client id and secret, which will be used to generate the OAuth2.0 token. this token will be used to invoke the APIs.
Now in your angular project, one way is to hardcode the base64(clientid:clientsecret) and call the token API to generate the OAuth2.0 bearer token. use the generated token to call the APIs onboarded on WSO2. To protect your APIs from the attack, use rate limiting based on IP
Now take another situation, if you want the user to authenticate first, then generate the JWT token for that user using the password grant type (using actual user's username and password), and using that JWT generate the OAuth2.0 Bearer token which will be used to call the APIs.
Steps to be performed for the second situation:
during registration (from Angular), internally onboard the user in the WSO2 Identity Server. (There is a WSO2 API for the same)
After registration, generate the JWT token from the identity server by authenticating username and password. (Again for this, WSO2 API is there)
now using this JWT token, Generate the OAuth2.0 token from WSO2 APIM
use this token to call the APIs
The second approach is the ideal approach for user to service authentication and authorization using WSO2 as the gateway while the first approach mainly focuses on service to service authentication and authorization
Hope this answers your question
Reference Link: https://medium.com/wso2-learning/how-to-protect-your-apis-with-self-contained-access-token-jwt-using-wso2-api-manager-and-wso2-75673d8a4686
Is it possible to log user out of only a single client? I tried to search online but could not find anything for logging user out from only a specific client.
With OAuth2 authentication, you don't log in or out of an application. OAuth2 is about permission delegation using access tokens. There is also the single sign on (SSO) feature of OpenID Connect (OAuth2 extension).
So you can either log out of the SSO session, which will force you to enter your credentials on the next /auth request. Or you can revoke a token used by a client. But if you have a valid SSO session at the auth server, the client can request a new token without you entering credentials.
So I think you will need to change your requirements (for logging out) to be compatible with OAuth2 / OpenID Connect concepts.
Scenario: openid-connect based social login for SPA.
Case 1:
In case of an SPA which has registered as an OAuth 2.0 client with Social Authentication Provider (ex. Google) the OAuth/OIDC roles map like this:
Resource Owner = Authenticating User
Client = SPA
Authorization Server = Social Authentication Provider (ex. Google)
Resource Server = Social Authentication Provider (ex. Google)
Case 2:
Now, let's consider the case of Social Authentication for an SPA using an IDaaS (ex. Okta/Auth0). IDaaS has registered an OAuth 2.0 client with Social Authentication Provider (ex. Google) and SPA has registered an OAuth 2.0 client with IDaaS.
Question: Is this use case a combination of two OIDC flows (nested?)
Flow 1:
Resource Owner = Authenticating User
Client = IDaaS (ex. Okta)
Authorization Server = Social Authentication Provider (ex. Google)
Resource Server = Social Authentication Provider (ex. Google)
(at this point Social Provider has asserted id_token (iss=Google, aud=IDaaS) to IDaaS redirect_uri)
Flow 2:
Resource Owner = Authenticating User
Client = SPA
Authorization Server IDaaS (ex. Okta)
Resource Server: IDaaS (ex. Okta)
(finally, IDaaS has asserted id_token (iss=IDaaS, aud=SPA) to SPA redirect_uri, and at this point authentication to SPA is complete).
Is the above understanding correct?
Also, is there a standard OIDC/OAuth pattern for this kind of an architecture which involves use of an IDaaS as an identity broker?
You are using a concept called OAuth 2.0/OpenID Connect federation. Rather than being a standard, identity provider vendors use this integrate external identity providers.
Case 1 purely use OAuth 2.0 and OpenID connect. SPA simply rely on Authorization server to issue tokens.
In Case 2, you rely on an external identity provider (ex:- Google as in your explanation) for user authentication. And if you compare your configurations, you are configuring IDaaS to be a client to Google. And then your SPA to be a client to IDaaS.
Is this use case a combination of two OIDC flows ?
No, it use the same OIDC flow. But instead of SPA directly contacting Google, IDaaS make the request (rather forward the request). IDaaS will create the authorization request and direct SPA to Google's login page.This is done by IDaaS obtaining registered details such as redirect URL, client id and client secret.
As the client, you get the login page and provide credentials. Once that's done, OAuth 2.0/OpenID Connect redirect occurs to IDaaS (Note - At Google we configured redirect URL to IDaaS). IDaaS will receive the redirect and process it. Depending on the flow used, there will be a token request involved in the step. Then it proceed to token processing.
In this step, internally, IDaaS will replace the token. It will first validate Google issued token. If token is valid, IDaaS will create a new token with claims required from Google as well as audience and issuer values set to SPA known values.
Basically IDaaS receives the original Google token. SPA receives the IDaaS created token. It is the same flow, but with a middle IDaaS working with an external identity provider.
I have a unique scenario in which we need to sync external oauth access-token with wso2am-key-manager.
Scenario is as follows, user login to our internal IDP server and IDP server generates access-token upon successful verification of user credentials so now the requirement is the UI(application) should be able to invoke API on wso2am using that access-token which was generated by IDP. So that is only possible if we sync that external-access-token to Wso2am-Key-manager. I am not able fit this requirement with available grant types, password, client-credential as all these grant types generates new access-token which we dont want.
please advise how to achieve it. thank you.
WSO2 API Manager supports to configure external key manager[1].So you can configure your IDP as keymanager to WSO2 APIM
[1] https://docs.wso2.com/display/AM200/Configuring+a+Third-Party+Key+Manager
I am trying a POC with WSO2 API manager and Identity server. The application users are registered to the user store on the identity server. An API is exposed on the API manager that will be used by the application. The goal is to authenticate the users accessing the application using the oauth resource owner password credentials. The user credentials are in the user store on the identity server.I created a new tenant for this.
I configured SSO for the API manager by using this documentation. so that the users are authenticated against the identity server user store.
Tried to generate a token to access the API exposed on the API manager. I was able to retrieve the token client credentials grant type but not for the resource owner password grant type.
Appreciate any help here.
I do not think, you need SSO here. SSO is needed with APIM and WSO2IS, if users need to login to the API store/publisher/APIM management console. I hope you are talking about end users.. Then end users are may not need to login to the APIM. They just need to login your custom applications and application would call the APIs in the APIM.
But, say user need to login to custom applications using SSO, then you can configure SSO between WSO2IS and custom applications. Please refer here. Once user login to the application, application can exchange a end user's SAML2 Assertion with access token by using APIM. Then application can access the APIs in APIM using access token behalf of the user. You can refer this for more details
Also, if you are just trying to use OAuth just for authentication, You may need to use openid-connect. (just to login to custom application)