My system should verify user's type during registering process. The verification is done with data from Salesforce. I created Salesforce REST API. I wondering how should I create ZF2 client to consume Salesforce REST API ? Should it be done as a zf2 lazy service, or just as a regular service ?
Related
The rest API (https://cloud.google.com/identity-platform/docs/use-rest-api) support user sign up without request attribute, multiFactor : {enrolledFactors :[]}. It seems that the only way to enable multi-factor authentication is via NodeJS server as described here: https://cloud.google.com/identity-platform/docs/admin/manage-mfa-users.
Is this correct? NodeJS api must be relying on rest-api. So any reason, it will not work with a direct rest API call.
After further investigation, the restful API does let a client programmatically specify MFA attributes. The API is accounts.signUp.
https://cloud.google.com/identity-platform/docs/reference/rest/v1/accounts/signUp
I am building a microservice project in which I need certain clarification on what to do in these situations:
for centralized authentication and authorization or centralized authentication on API gateway, every request must contain jwt token and pass-through API gateway to call other microservice also it should check which user has permission to access API in other microservice. So how can I handle those situations?
I will be using specific tool for exploitation.
users will come through either web browser or mobile app. your api gateway will be exposed to external world. most of the apiGateway nowdays contains plugins for authentication and authorization. for example you can use OIDC plugin with api gatway to authenticate the users which will return JWT token to call the internal apis. you can refer below component diagram link for architecture diagram
I want to consume my salesforce REST API from ZENDESK app. To consume my salesforce REST API i need to send Authorization header with salesforce acess_token. To get the access token in zendesk i am creating a server side zendesk application. I writing code to fetch the access token and deploying in on my other server and finally using that site in my zendesk app.
Is my approach correct or is there any better approach?
I have the following set up:
A web app (Jetty/Java)
A native client (iOS) (calling my webapp)
The Microsoft Graph API (called from my webapp)
The idea is that the user should sign in with OpenID/Oauth2 using his/her Office 365 credentials. The webapp will then call the Microsoft Graph API on behalf of the user (offline as well).
To achieve this I'm pretty sure I need to use the grant type: "Authorization code grant".
I can find a lot of example of the Oauth2 flow for browser based apps, and for when the native app calls the Graph API directly... but I want my backend to call the Graph API (and hold the access & refresh tokens).
So the question is how to do this properly? Here is my idea at this point.
From the native app: open a browser, call my web server which will trigger a redirect to the Azure /authorize endpoint (example: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize?client_id=[clientid]&response_type=code&scope=offline_access%20user.read%20calendars.readwrite&response_mode=query&state=12345&redirect_uri=my-scheme://oath2-code-reply
This will trigger authentication/authorization and then send the access code back to the app (using a custom scheme redirect: my-scheme://oath2-code-reply).
The app can then call my web app with this access code, where we can exchange the code for refresh & access code, and also create our own session for the user.
Is this the correct way?
Or should the entire flow occur in the browser and as the final step I open the app again with something like myapp-scheme://?sessionid=[our-own-session]?
For your scenario, you should use the on-behalf-of-flow.
A server-side sample that you can use as reference is https://github.com/Azure-Samples/active-directory-dotnet-webapi-onbehalfof - a note is that this sample is a .NET sample using a JavaScript SPA as a client - but hopefully it can guide you. You can use this sample for an overview on how to request tokens for your web api.
A note is that your item '1.' suggests that you are using the 'v2' endpoint. The 'v2' endpoint has some limitations, including for the scenario you are trying to accomplish (request access token to a Web API) - please see this document with information on these limitations, therefore my recommendation is to use the v1 endpoint at this moment for your scenarios -- which mean that you can only authenticate corporate accounts (and not MSA). The documents and samples I've indicated above uses the v1 endpoint.
I have a existing application built in ASP.NET. This application has REST APIs. We are wanting to expose these APIs via API connect platform. Now, since our APIs are already authenticated, if we use IBM API connect, then how will end user authenticate to our API and API consumer authenticate via IBM Developer portal?
Lets say our API clientA logs into our developer portal, creates an app and then subscribes to our API. Now when end users try to access our API "VIA ClientA", we need to authenticate the request.
I tried to follow this tutorial http://www.ibm.com/support/knowledgecenter/SSFS6T/com.ibm.apic.toolkit.doc/task_apionprem_redirect_form_.html
But it does NOT get redirected to our external URL.
Please help!
The API gateway (part of API Connect) establishes and enforces authentication between the API end-user/subscriber and your outbound API service running on API Connect. The gateway acts as a service proxy to authenticate potentially many subscribers to a particular API plan (made up of one or several APIs), using API keys that are generated as new subscribers onboard to that plan. The management and enforcement of those API keys is accomplished entirely within API Connect. Nothing is required on your part, except the initial setup parameters for each API.
For that same API, the back-end authentication between API Connect and your existing REST API endpoint is different: it is the same for all end-user subscribers. Every time an end user calls an API they have previously subscribed to, they must first authenticate to API Connect using their unique key (since their usage must be tracked, billed and possibly limited). Once authenticated to the API gateway, all subscribers invoking usage instances for this API will be authenticated to the same API endpoint using the same authentication scheme and credentials as created when setting up the API.
Their are several choices of back-end authentication schemes when using external API endpoints. See this tutorial for more information and links to further resources:
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.toolkit.doc/tutorial_apionprem_security_OAuth.html