When configuring a Cognito Authorizer in API Gateway, a tooltip suggests providing a regex that will pre-validate the audience (aud).
I'm not clear on what the payload will be, so I'm not sure how to write this regex. Is there a sample regex available?
Related
I've implemented Sign In with Apple in my iOS app, and now I have also implemented it in my website. What surprises me is that both flows end up with a difference audience value in the id token, is that to be expected? The iOS app uses the app's bundle id, and the web flow uses the service id's identifier.
So for example in the iOS flow the audience is com.domain.app and in the web flow the audience is com.domain.siwa. When I'm sending the id token to my server where I am doing the validation logic, I now have to know where the id token comes from so I can use the correct audience. It would be easier if the audience could just be the same for both flows. Is that possible? Or should I just forgot about this and work with two difference audience values?
The reason why the audience aud claims of your JWT tokens differ is that, as Apple themselves puts clearly, the audience registered claim identifies the recipient for which the identity token is intended.
Simply put, as the audiences are literally different, the aud claim should & will always be different.
This is not unique to Apple and is actually taken from RFC7519: JSON Web Token, so trying to make the aud claim values the same is actually going to be against the JWT spec.
Here is how RFC7519 describes it:
The "aud" (audience) claim identifies the recipients that the JWT is
intended for. Each principal intended to process the JWT MUST
identify itself with a value in the audience claim. If the principal
processing the claim does not identify itself with a value in the
"aud" claim when this claim is present, then the JWT MUST be
rejected. In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value. In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value. The
interpretation of audience values is generally application specific.
Use of this claim is OPTIONAL.
If you need to, I would say to just deal with different audience values but what are you using the aud claim value for anyway?
If you're trying to restrict specific features, for example, based on a certain "audience", feel free to use it however the use of this claim for business logic isn't really that widespread.
Other claims will most likely be better suited depending on what you're exactly trying to achieve here.
ID TOKENS
The audience for an ID token represents the client application, so you will have 2 different audience values. ID tokens are typically validated by the client app, eg in the mobile code, but using an API to do the work is also possible.
ACCESS TOKENS
Here is the OAuth standard behaviour:
Don't send ID tokens as credentials in API requests - send access tokens instead. Access tokens have an audience that specifies an API or a set of related APIs, eg api.mycompany.com.
Issue your own access tokens, where you can control the scopes and claims that your APIs will need for authorization - Apple tokens are not designed to be used in your own APIs
AUTHORIZATION SERVER (AS)
The optimal way to issue your own tokens is to let an AS manage the connection to Apple for you - as in this tutorial.
SUMMARY
Hopefully this gets across key points in case useful. Aim to base solutions on the standard design patterns that have been vetted by experts for many years. Sometimes vendor specific guides don't explain these principles well.
My sectoken is authorized but I don't know how to formulate a URL so that I can bypass the WSO2 IS sign-in page (login.do).
I read online it can be passed through a link in this format:
localhost:9443/samlsso?SAMLRequest=[SAMLRequest]§oken=[SECTOKEN]
I'm just not sure what to put in for [SAMLRequest].
As for the answer, you may try to use OneLogin PHP module to generate a SAML Request.
Here is an example SAML Authn Request however you may need to change the issuer, destination, AssertionConsumerURL, and issue timestamp.
Please note there's difference when sending SAML Request as GET and POST. GET (Redirect-Binding) uses deflate and encode, signature is a separate request parameter, POST (POST-Binding) uses signed XML and only encoded XML, not deflated.
SAML is great protocol (very well designed and secure when implemented properly), but it may look difficult for people who hasn't use it before, it may require using external libraries to properly create requests and validate responses. That's why you may be as well looking for option which would may make your life simpler, such as using WSO2IS for SSO (single-sign-on) e.g. using simpleSAMLphp or direct OAuth authorization request.
The Kubernetes documentation related to OpenID Connect mentions that as part of setting things up you need to supply some parameters to the API server:
--oidc-client-id: A client id that all tokens must be issued for.
There is no other explanation about how this would map to, say, something returned by the OpenID Connect-conformant Google identity provider.
I don't know what this parameter value will be used for. Will it match against something in the decoded JWT token?
It looks like the id_token returned by the Google identity provider might contain something, once decoded, in its aud field (aud is apparently short for "audience"). Is this what the --oidc-client-id should match? Am I way off?
This can be explained from the kubernetes documentation on id tokens.
As you can see, identity provider is a separate system. For example this can be MS Azure AD or Google as you have shown.
When you register for a identity provider, you get important things in return. client id is one such important parameter. if you are aware of the openid connect flow, you need to provide this client id when you follow the flow. If the flow is complete, you will return an id token. An id token has one must have claim, aud which is the audience that token was issued for.
When you validate an id token you MUST verify you are in the audience list. More can be found from the spec.
Quoting from specification,
The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience
Now, kubernetes uses bearer tokens. Here the tokens used are id tokens. To validate the token it should know specifically the audience. This enables the API server to validate the token is issued for the particular client who made the call. Thus authorising the call to to success.
Akka HTTP and Spray provide an authenticateOAuth2 directive, but their documentation states that
This directive does not implement the complete OAuth2 protocol, but instead enables implementing it, by extracting the needed token from the HTTP headers.
I also cannot find any libraries that implement OAuth2 for Akka HTTP or Spray. Is there something I'm missing, or is this simply the state of these libraries right now?
I think the biggest problem is that OAuth2 itself doesn't really tell you how the implementation details look like.
To quote the RFC:
The token may denote an identifier used to retrieve the authorization
information or may self-contain the authorization information in a
verifiable manner (i.e., a token string consisting of some data and a
signature). Additional authentication credentials, which are beyond
the scope of this specification, may be required in order for the
client to use a token.
Access tokens can have different formats, structures, and methods of
utilization (e.g., cryptographic properties) based on the resource
server security requirements. Access token attributes and the
methods used to access protected resources are beyond the scope of
this specification and are defined by companion specifications such
as [RFC6750].
For example you could use JWT to validate a request or you could use the token only as an identifier and ask a service whether the token is allowed for that resource.
Depending on your OAuth2 provider the implementation can vary, so my guess is the framework can only provide you the common thing (extract the token for you) or it would have to implement all possible OAuth2 implementations, which seems not feasible at this point.
I personally have used pauldijou/jwt-scala in the past, which you might want to take a look at.
My REST service uses OAuth 2.0 authentication. I want to test some GET URLs using the browser (without using a client). Can I pass the bearer token in the URL ?
URL : www.example.com/employee/employeeId
You can pass it in the access_token query parameter, see https://www.rfc-editor.org/rfc/rfc6750#section-2.3, but as noted in the other answer, it is not the preferred way of passing a token. It may end up in logs, browser cache etc. On this method the spec says:
Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
Resource servers MAY support this method.
This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].
So you should also be aware that the Resource Server (or API) may not even support this method of token passing. The only method that is mandatory to implement is the Authorization header method.
You most certainly can.
Ses facebook graph API. But be aware that it is not recommended since users may sent these urls as email or messages. Oauth 2.0 spec writes about it.