I am struggling with authentication and passing tokens between services.
I have 3 services: authentication, Service1, and Service2.
They are separated. I am logging into the authentication service, generating the JWT token, and getting the token. What is the best way of implementation for services1 and service2 to get and validate this token? Should I send this token in the HTTP request header? How should I store this token on the client machine, cookies?
Related
Ok, lets say there is an app: a client and a microservices based backend with api-gateway.
I've read through the keycloak docs but can't realise the exact workflow.
Situation:
Client is unauthenticated and sends a GET-request at /users
API-gateway gets a request, sees there is no token and redirects me to keycloak (right?)
What happens after i enter valid username and a password?
3. Keycloak sends tokens to api-gateway and it sends it back to client?
Or may be a client must go to keycloak auth page directly, get tokens and then only include them into request headers? How does the api-gateway validate tokens then?
Thank you.
I am not able to understand why public client doesn't have Authorization feature. How to achieve Authorization in frontend then?
One approach I understood is create two client one for frontend and one for resource server which is confidential client. And for resource server set the authz.and now in public client fetch backend authz info via api calls.
For authentication, I am passing tokens from frontend and validating jwt at backend. For Authorization also I can pass token which I retrieve from authz and validate jwt. So it means I am creating confidential client only for storing authz information, if I had public client with authz then I didn't had to create multiple client?
I have a kubernetes cluster and i have my application deployed in the pods. There is a endpoint URL of my application which i used to send POST requests from Postman. I need to provide some level of authentication to the my URL. I read the service account authentication using the JWT token.
How can i achieve the same feature in postman ??
I tried creating a new service account and took the secret and the associated JWT token as the Bearer token in postman. But it is not giving any kind of authentication.
https://medium.com/better-programming/k8s-tips-using-a-serviceaccount-801c433d0023
Cant directly answer your question, but from what comes to my mind is that: Istio supports Token-based end-user authentication with JSON Web Tokens.
You should understand I havent tried to do that, but this looks for me very promising: Istio End-User Authentication for Kubernetes using JSON Web Tokens (JWT) and Auth0
And to test JWT-based authentication and authorization workflow thay exactly use Postman, as you prefer.
I didn't touch AAD before, but I have to use it for authenticate users for my REST service.
I have a mobile client that can authenticate a user on AAD with OAuth2. As a result it has a bearer token.
This bearer token mobile client should use as a parameter in a request for protected REST service.
REST service is a Java-based application (spring-boot) and it was registered in AAD as a Web application, but I can not find a way how it can connect to AAD for check is token valid or not.
I expected to have something like /oauth2/check_token endpoint that can take a token value and return a user data, but I didn't find anything.
Is it possible to use AAD for authentication users for third-party applications and if yes, how to do it?
The token issued by AAD is a signed JWT token. You do not need to communicate with AAD to verify the token is valid. If you trust the issuer (AAD) and the token is valid (correct audience, valid signature, not expired etc.), you accept the claims in the token.
See this article for the steps to validate the JWT token.
I saw the word "endpoint" many times in OAuth documents.. However, I still don't know what does this word really mean.. Does anyone have ideas about this?
The OAuth 2.0 Authorization Framework
The authorization process utilizes two authorization server endpoints
(HTTP resources):
Authorization endpoint - used by the client to obtain
authorization from the resource owner via user-agent redirection.
Token endpoint - used by the client to exchange an
authorization
grant for an access token, typically with client authentication.
Its basically the HTTP web address of the authentication server. It could probably be server addresses depending upon how its worked. The first is for requesting access of the user the second could be for granting access to the application. this probably depends upon how the Authentication server is set up.
OAuth endpoints are the URLs you use to make OAuth authentication requests to Server. You need to use the correct OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints depend upon the system you are trying to access.
Example Google has two end points:
Request access of user:
https://accounts.google.com/o/oauth2
Exchange tokens
https://accounts.google.com/o/oauth2/token