I am creating an apigility project where we will be hosting all of our APIs. We need to be able to use OAuth2 for authentication but we cannot figure out how to control access to certain APIs, it seems like once a client authenticates, they can use any of our APIs but we want to limit them to use only specific ones that we define. After reading about the OAuth2 library that apigility uses, I saw that there are scopes that can be defined but I have not found any documentation about how to check a user's scope to see if they have access. I want to find out if this is the best way to restrict access to certain APIs and how to set it up if it is, or is there a better way to control access?
Just implemented this functionality using the following recipe ...
https://github.com/remiq/apigility-zfc-rbac-recipe
It worked really well and only took a few hours to get it all working.
Alternatively you can just do the checking in the Controller Action (Resource method)
$identity = $this->getIdentity()->getAuthenticationIdentity();
$scope = $identity["scope"]
if (! in_array('admin', $scope)) {
return new ApiProblem(Response::STATUS_CODE_401, 'No Auth');
}
The above code is untested but should get you on the right path if you wanted to do it that way
Related
In my Spring Boot application i'm working with Auth0 to manage access to my rest api.
In addition to Auth0's scope i would like to add a ROLE to each user which in turn will provide an additional layer of access control where specific API's won't be accessible to low privileged users.
I've been reading about custom rules and authorization extensions but couldn't quite understand what is the right implementation for me.
Here's my WebSecurityConfigurerAdapter code snippet:
So basically i want only 'ADMIN' for example to be able to access /test/**
#Override
protected void configure(HttpSecurity http) throws Exception {
JwtWebSecurityConfigurer
.forRS256(configBean.getAuth0ApiAudience(), configBean.getAuth0Issuer())
.configure(http)
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/test/**").hasAuthority("read:test")
.anyRequest().authenticated();
}
Any help would be much appreciated!
You have a few options here (at least..).
1). You could conceivably use a Rule to do handle the decision logic on which "ROLES" are assigned to given user - and rather than tag this onto scope (which you could do too..), you may decide they belong instead as a custom claim on that access token. Body of Rule may contain something like
// lookup the permissions for given user somehow (secured webhook, static map etc) - here lets imagine we want ROLE_USER assigned
context.accessToken.scope = "ROLE_USER"
// or
context.accessToken['https://mydomain/roles'] = "ROLE_USER"
2). Simply use the fact that you have the auth0 userid available in the JWT Access token from Auth0 that you send to the API - you could use this knowledge to look up the finer grained permissions for that use "out of bands" of Auth0 (using your own database storage for permissions keyed on user Id etc or some other customer claim tagged on the access token - or by using auth0 if for example you tagged the ROLE information as metadata onto the Auth0 User profile. You could then do an Auth0 user profile lookup (management api) by user id and get details that way. See example here for an illustration in Java on getting the userId claim from the JWT access token if you like this approach.
3). Take a look at the Auth0 authorization extension which provides support for user authorization via Groups, Roles, and Permissions. You can define the expected behavior during the login process, and your configuration settings will be captured in a rule that's executed during runtime.
There is no hard and fast answer here, each of the above merits consideration, and what you need for your project. If you really want to leverage the existing declarative authorization as per your code above, then Option 1, and pegging the ROLES information to the scope is the easiest approach.
However, I would actually advocate option 2). above myself, for most "pragmatic" small to medium sized ventures. Here, you would require a little programmatic code inside your Controller endpoint to lookup the ROLES and then make a security decision that way. You could also push out the lookup code into a common Custom Filter that executes before the Controller code is reached, and does the necessary Spring Security manipulation that way - more of an advanced developer option - (I have written libraries in the past that supported this approach for Spring Boot / Security - and can therefore vouch it is a reasonable approach. See here for demonstration but again, sure you would prefer to get on with building your business logic and not detour into building a library, right?).
Option 3). is definitely worth exploring if you are building out a serious enterprise app, and need all the integrations - especially where integration with enterprise connections such as Active Directory are in play.
Leave me comments if you are still confused, but hopefully the above offers sufficient insights to explore further.
Quick update
Further to our discussions, here is a little Rule that gives you the idea you were asking about:
function addRoleScopesToAccessToken(user, context, callback) {
console.log("add-role-scopes-to-access-token rule");
user.app_metadata = user.app_metadata || {};
var roles = user.app_metadata.roles;
if (roles && roles.length > 0) {
context.accessToken.scope = roles.join(' ');
}
callback(null, user, context);
}
And this is how your "app_metadata" might look like:
{
"roles": [
"role1",
"role2"
]
}
You should end up with a JWT access token with the roles added to the scope. eg.
I have an endpoints API that I'm accessing with a Dart client library generated with discoveryapis_generator. All is well and good except that the generated library doesn't appear to reflect the authentication requirements of my API.
Is it only necessary to somehow create an authenticated http object to pass to my application's BrowserClient() constructor in the following line?
my_api = new MyApi(new BrowserClient());
Is the recommended method for creating the authenticated http object to use the googleapis_auth package as described here? Am I on the right track?
The authentication is not part of the API itself. It is actually the http client that will send the proper http header for user authentication. Assuming you use the standard google auth mechanism, you can use the package https://pub.dartlang.org/packages/googleapis_auth as you would for a standard Google API (Drive, etc...).
You will have to create a clientId (google console) and use BrowserOAuth2Flow to get an AuthClient (that extends http.client) and from then do new MyApi(authClient)
I have a (quite old) project where I override the standard behavior of google auth to allow specifying a userId (never really found the doc on that but it works) during authentication with a simple example that use the PlusApi to get the user name but it could work in a similar way for your own api. Maybe that could help https://github.com/alextekartik/tekartik_googleapis_auth.dart
I think you need at least the email scope when calling createImplicitBrowserFlow
There are also samples for using google apis that could help: https://github.com/dart-lang/googleapis_examples
Currently I'm recovering the omniauth information perfectly fine using the typical setup for omniauth gems.
I'm retrieving the access_token as a string and storing it into an Authorization model that is associated to a main Users model.
So, getting to my problem.
I need to access the calenders api and in the docs I see many references like this...
https://www.googleapis.com/calendar/v3//users/me/calendarList/calendarId
This seems fairly intuitive. I want to access this in conjunction with the access token that I have retrieved. Something along the lines of this...
https://www.googleapis.com/calendar/v3//users/me/calendarList/calendarId?access_token=blah
so that I can load it directly and more streamlined into Backbone models. However, I don't see anything in the docs and when I try the implementation, it consistently throws me 404s of "Not found" (which is rather annoying and undescriptive. I'd prefer if it threw 422s but I suppose that's a discussion for somewhere else.)
Is there anything in the docs that provide an example implementation of how to access the info with a token?
thanks
I did a bit more research and found out about the google ruby client gem that was released. Basically, we have to feed the token into the Google::Client instance and pump out an object that has a defined set of methods that can be used on it.
I created a special case controller to handle this logic to render out a suitable api.
TO-DO: Will get into specifics in a bit. Currently I'm very tired.
we want to manage the credentials of the actions of the backend from
the backend.
How to get the list of the actions of an app? After that we could show
the credential of each one through getCredential().
2nd question: i found the function to get the credential of an action
(getCredential()), but how to set the credentials? I didn't find any
setCredential() function...
Javi
I agree with much of what has already been said regarding whether or not this is a good idea.
Regardless, to do what I think you are asking:
Credentials needed for an action come from this method in sfAction:
public function getCredential()
{
return $this->getSecurityValue('credentials');
}
You can overload that in your actions (or extend it in a new subclass of sfActions and have all your actions extend that) if you want to do something more complicated, like pull credentials from a database or some other source.
Getting a list of actions of an app has nothing to do with credentials. It's a matter of convention how the credentials are named or organized. Actions and credentials are independent. You could have one credential per whole application or define one credential per action. Still, you manage credential separately.
If you really want to get list of actions you could parse the routing file.
You could also use PHP's Reflection mechanism to get methods out of the action classes.
However, sfDoctrineGuardPlugin/sfGuardPlugin offers you sufficient credential management for most of the applications. I'd rather go with this approach.
2n question: There's no setCredential() method but there is an addCredential().
Let's start with your second question first, to firm up our grasp of how credentials in Symfony work.
Credentials in Symfony are set via the security.yml file the config directory of the module. A security.yml file might look like this:
all:
is_secure: true #makes all methods on this action require user's to be authenticated
edit:
credentials: [admin]
show:
is_secure: false #don't require authentication for this one
You cannot change the security settings of an action from the backend unless you want to actually write a new YAML file and clear the old one from the cache (not recommended). If you really needed dynamic credentials on an action, I would store some sort of switch (lock file, APC, database) and use a filter to dynamically set the credentials required (also, not really recommended).
Can't you do whatever you're trying to do with a standard user/group/permission setup?
I have a Flex UI that will need to connect to Rails. How do I manage authentication and only authenticated user's can connect and see their own data only? UPDATE: And how would I do this if I should not want to use RubyAMF (right or wrong)?
I would say auth_logic might be a better plugin for handling authentication. If you use RubyAMF with auth_logic you will make a call to UserSession.create and pass in the username and password. You may also want to check out Weborb for communicating with Flex, it uses RTMP and depending on your needs it may be a better fit.
Check out RubyAMF, it is super easy to set up and use and enables you to call controller methods directly from flash and return actionscript objects.
homepage: http://blog.rubyamf.org/
google code: http://code.google.com/p/rubyamf/
First, for RubyAMF, check out this link: http://unitedmindset.com/jonbcampos/2009/05/30/ruby-on-rails-with-flex/
Next, for the authenticated users, just use Restful Authentication, a ruby plugin:
http://techno-weenie.net/2006/8/1/restful-authentication-plugin
If you make the smallest change to the authentication failed function in the plugin, your app with throw fault events when a user tries to access a service that they aren't authenticated to access.