I have a SPA (angular) application that connects users with Azure AD B2C. The application then obtains a JWT. The application (SPA) must then consume APIs behind WSO2 APIM. I want to have the JWT validated by Wso2 APIM.
SPA --> AZUREADB2C
SPA <-- AZUREADB2C (JWT)
SPA --> APIM (Validate JWT) --> Backend API
Should I create a custom key manager in APIM? or is there another setting?
You should be able to use the JWT Bearer Grant[1] for this purpose.
Basically, you will have to add Azure AD as an IdP in APIM and configure a service provider. Then you can obtain a token from APIM after validating your JWT and use that to access the APIs.
[1] - https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/jwt-grant/#jwt-grant
WSO2 API Manager provides two ways to cater this requirement.
If you want to validate the token directly generated from Azure AD
It needs to be configured as key manager from Admin portal. WSO2 API Manager does not have out of the box support to configure Azure AD as key manager. (It supports WSO2 IS, KeyCloak, PingFederate, Okta and Auth0 OOTB).
You can write custom key manager implementation and deploy it in API Manager to cater this requirement. The steps to write custom key manager is explained here.
User authentication with token exchange approach
WSO2 API Manager supports OAuth 2.0 Token Exchange grant type (From APIM 4.1.0 onwards) to exchange JWT tokens generated by external Authorization servers for APIM token.
For this, you need to add Azure AD as a Key Manager as mentioned in this doc and exchange the JWT token generated from Azure AD for APIM token. This method requires some modification in the SPA.
Related
I am trying to figure out a way to authenticate my service A that calls my service B.
Both are hosted in AWS ECS so I assume service A has an IAM role it is running under which can be used to authenticate it.
My service B (asp.net core 6) application already uses cognito JWT token for authentication.
Question: Is it possible to get a JWT token without using Cognito for my service A (for M2M authentication/authorization)?
I am trying to enable JWT authentication for my backend java microservice which is deployed locally and all the requests to the microservice is gated through WSO2 apim 2.6 .The JWT token provider is used as WSO2 IS 5.6 .
I have placed all required configurations both at WSO2 IS and WSO2 apim on my machine.Since both are on same machine I have configured an offset of 1 too.
I created a fresh user in apim store and used it to create application and subscribe api for the same user.The Token type configured is JWT .I used Postman as client for fetching the access token and the access token gets fetched as expected.Thereafter when I use the same token to access the required resource through api gateway it gives me back "Unclassified Authentication Failure" with code as "0" and description as "Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure"
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>0</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Access failure for API: /notification/1.0, version: 1.0 status: (0) - Unclassified Authentication Failure</ams:description>
</ams:fault>
I am expecting the resource to get created as it is a post request via WSO2 apim to backend service.Please share any available insights on this
The token type JWT can only be used with api manager micro-gateways. You create OAuth application and try using the JWT grant type for it. You can find more information about the JWT grant type in
https://docs.wso2.com/display/AM260/JWT+Grant#JWTGrant-JWTBearerGrant
I am trying to integrate with a commerce platform called AppDirect. Every request AppDirect sends to my REST API service will be signed with an OAuth 1a signature. AppDirect does not use OAuth access tokens. Also, AppDirect provides the OAuth consumer key and consumer secret. See - https://docs.appdirect.com/developer/apis/billing-api-guide/oauth-credentials#validating-requests-from-appdirect for details.
I want to use WSO2 API Manager to perform signature verification, but I cannot find a way to enter AppDirect's key and secret into API Manager for signature verification. Is there a way to do this without writing custom code?
We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha
Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.
I have a native app registered in AAD and I've added it in ACS as identity provider. Now I would like to use the JWT token issued from AAD to request a token from ACS for service bus. I checked out this article: How to: [Request a Token from ACS via the OAuth WRAP Protocol][1]
[1]: https://msdn.microsoft.com/en-us/library/azure/hh674475.aspx#BKMK_1 and it lists three ways of requesting token from ACS: Password, SWT and SAML. I'm wondering if it's supported or there's any example of requesting by using JWT token.
As such ACS capabilities are being moved to Azure active directory and AAD will soon be the one service for all authn/authZ and ACS will be sunset. So you need to follow the process or registering your app in AAD and then how to manually handle the JWT token response on successful authentication of request from the client application. It uses json web token handler.
Refer the sample here. AAD JWT token handler sample
Of course this is a sample with web api and you have to modify as per your application.