How implement an Component that publish secure services Rest , conditions:
These services should be secured by OAuth 2.0.
This component will is the Resource Server.
The Authorization Server is third party component implemented with Spring OAuth2.0 and Deployed in JBoss Server.
The client app will be called to resouce server, using JavaScript or RestTemplate Client.
Since you are already developing other legs of the OAuth2 solution using Spring Security, there is no reason to not use it as OAuth implementation for Mule as well.
http://www.mulesoft.org/documentation/display/current/Configuring+the+Spring+Security+Manager
There is some also prepared things in Mule, if you run the commercial version, check htis out: http://www.mulesoft.org/documentation/display/current/Mule+STS+OAuth+2.0a+Example+Application
Related
I have a web application written in MVC 5 Asp.Net 4.7, C# on Azure App Service. I want to integrate it with a 3rd party web application, via its API, using OAUTH2 whereby the server application punches out to it, causing its Identity Server to acquire user credentials and then to finally issue a Refresh and Access token so my application can make calls on it API.
Now to my question.... As I understand it the recommended OAUTH code flow for this is "Authorisation Code Flow", however the 3rd party wishes me to use "Hybrid Flow" as they have been advised this is more secure. Is this correct? I emphasise this is a web server to web server interchange, apart from the redirection by the 3rd party identiry server for user credentials.
Thank you in advance.
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
reading this very good blog post (Getting familiar with IBM MobileFirst Platform Foundation OAuth Security) I learned how MobileFirst Platform (7.0 and above) has an integrated OAuth2.0 Authorization Server, which can be used to protect external resource servers.
However what I would like to understand is if it's possible to integrate MobileFirst Platform with another Authorization Server and protect MobileFirst Platform (and external) resource servers. The Authorization Server in this case would be ADFS running on Windows Server 2012R2.
This document from the Product Documentation explains how to use DataPower as OAuth Authorization Server. Can it be used also for other OAuth2.0 Authorization servers ? ( The Authorization Server in this case would be ADFS running on Windows Server 2012R2. )
IBMMobileFirst v8.0 only has support for Datapower as an external authorization server.
If you'd like to use a different AZ server, the only way I can think of is implementing the flow via a MobileFirst SecurityCheck, and have that security check call the other Authorization server.
That way you'd be using both the MFP AuthorizationServer and ADFS (So two Oauth flows, two tokens etc.).
Think of this high-level flow example:
Your resource is protected by some scope, this scope is mapped to a security check in MobileFirst server. When your client attempts to access the resource, your security check is triggered, which will then make a request to the ADFS authorization flow. Your security check would then act as a middle man between the ADFS and the client, and will be successful only when the ADFS has granted a token.
Eventually, when the MFP security-check is successful, an MFP Oauth token will be granted to the client, which will allow him to access the protected resource.
So basically your security check will act as your client against the ADFS Authorization server
A more simple way, would be to make that resource unprotected, and implement your own custom Oauth flow against ADFS - but thats not the original question.
But the plus side of the first option, is that you can always make that same scope (which is protecting your resource) be mapped to something else uninterruptedly (via the console) , like to a different security check which does something else.
For IBM Mobilefirst 7.1 (or 7.0), the flow is pretty much the same, only the terminology is different, in 7.x there are no Security checks, but you can use a Custom authenticator to get the same functionality.
Personal note - If you're not bound to using 7.x, I'd recommend doing it in 8.0
I have developed an API using ASP.NET Web API 2 to be consumed by applications in my domain. I want to secure the access to the API endpoints. I've decided to use the OAuth token based token authentication for mobile app clients and web app clients.
However there are some non-interactive windows service clients that need to consume the API. I do not want to store login credentials to get a token in the service config, however a Windows authentication suits this type of client.
Is it possible to use a hybrid - windows and token-based authentication in ASP.NET WebApi? How?
I think the Windows authentication service from Identityserver might be a good solution for your problem
You can find more information on : WindowsAuthentication repo
I have decided to break up the API into two. One for normal OAuth based access and the other with specific resources using Windows authentication to be consumed by non-interactive windows service clients.
We want to secure our api using OAuth.
Our server exposes functionalities through APIs. Separate UI applications consume these APIs.
Users use these UI application to access their resources. Since there are only two systems (client and server) involved,
we would like to have 2 legged authorization flow instead of 3legged with redirections. Also we would like have
separate UI (client) application verification once and use this verification code to perform user login and get access token.
Currently we are evaluating spring security framework. Most of spring security tutorials/article talks about 3-legged oAuth with bearer token approach.
I’m not sure if it supports request singing and above mentioned required process. Is there any other open source framework we can use?