When creating a route in an HTTP (not REST) API Gateway API, I'm able to require IAM authorization from either the console or the CLI.
I can't figure out how to do this from CDK. The authorizer parameter wants an IHttpRouteAuthorizer, and the only implementations I see are HttpJwtAuthorizer, HttpLambdaAuthorizer, HttpUserPoolAuthorizer, HttpNoneAuthorizer, none of which seem to correspond to simple IAM authorization.
What do I need to do to configure a route to use IAM authorization from CDK?
The HTTP API is still experimental in CDK. Not all features are there yet.
That said, the HttpIamAuthorizer is under development at the moment and is very close to getting merged.
Update (26 Dec 2021): HttpIamAuthorizer is now available from versions 1.137.0 and 2.3.0 on.
Regarding the previous post (I am new, and lack the reputation points to comment directly)
Update (26 Dec 2021): HttpIamAuthorizer is now available from versions 1.137.0 and 2.3.0 on.
Unfortunately, something went wrong with the CDK release mechanism. See https://github.com/aws/aws-cdk/issues/18138 for details. HttpIamAuthorizer is not available in version 2.3.0.
Related
I am trying to change google identity platform configuration with cli using gcloud CLI SDK for linux.
to be specific I want to call these API getConfig and UpdateConfig
Is there a way to do this using gcloud cli? there seems to be a group called Identity as per the docs, but this does not seem to be doing what I want
I struggled using Google's Identity Toolkit/Platform and how these correspond with Firebase-Auth too.
The term is overloaded by Google and Cloud Identity, Identity Platform and Firebase Auth have overlapping sets of functionality.
Name
URL
Cloud Identity API
cloudidentity.googleapis.com
Identity Toolkit API
identitytoolkit.googleapis.com
NOTE Identity Toolkit is inaccessible through Google APIs Explorer
I wanted to be able to programmatically update Firebase Auth's authorized domains.
By observing the calls made by Firebase Console, I needed to use getConfig and updateConfig too.
These aren't surfaced through gcloud.
Essentially:
GET the response from getConfig
I used jq to transform it into my desired state
PATCH config1 using an updateMask
1 The endpoint for the updateConfig method is actually (just) config
This worked for me and hopefully helps you better understand how you can use these methods directly.
I blogged about it more comprehensively here
We have installed and configured RedHat APIMan for our working API and the plan is migration form current home-grown tiny gateway to APIMan. The problem is that we have some unprotected endpoints which do not need login (Not everyone role! No login required at all). We are using Keycloak OAuth plugin for roles, and Authorization Policy for API security. When Authorization policy is not added, I can allow unauthenticated requests via a boolean value in Keycloak OAuth policy, but after adding Authorization policy, there is no way to let unauthenticated requests pass!
Kamyar. Apiman developer here.
Please file a feature request for this over at https://github.com/apiman/apiman/issues.
I think what you are trying to do may not currently be possible easily because the authentication policy is expecting a successful auth of some sort before it is hit (to get the roles, etc).
We probably need a slightly more detailed explanation of your use-case, and then we can figure out whether we can support it. It seems like it should be doable without major changes if I understand correctly.
If and when we add support for the specifics of your requirement, I will endeavour to update this ticket.
I am struggling to understand the documentation on how to make a request to Amazon S3 API's to retrieve a list of Objects.
The documentation doesn't show how to Authorise the request using just the access key and secret. Can someone post an example? preferably something I can use in Postman to test with.
AWS supports two signature versions: Signature Version 4 and Signature Version 2.
You should use Signature Version 4. All AWS services support Signature Version 4, except Amazon SimpleDB which requires Signature Version 2.
All AWS regions support Signature Version 4.
Here is a great article by ĆUKASZ ADAMCZAK explaining how to generate and sign the S3 request using openssl and curl:
Amazon S3 REST API with curl
The real challenge will be to do the sigv4 signing. I truly urge you to use one of the established SDKs (what language are you using??). If not wrap a call to the AWS CLI.
If you really want to implement it yourself the I urge you to open source your efforts so others can benefit.
I would start by setting up the bucket with no auth (so anyone can read from it) and determine how to make a request to S3 first. You can see some raw HTTP Request examples here: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html#RESTObjectGET-responses-examples
Then you'll be on to the fun part, sigv4 signing the request. This is a well documented process but still a good amount of effort. https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
I am looking to access a local instance of Couchbase Server through its REST API. The HTTP GET requests are sent from Java.
The problem I am currently running into has to do with authorization.
Specifically, I have managed to use Couchbase's Basic Authorization, but only by obtaining the hashed credentials (bG9jYWw6dHdlZXRzOnBBc3Mx in the example linked to above) by monitoring a Couchbase browser session using Chrome's developer tools and inspecting the request headers.
Now, another Couchbase article mentions that Couchbase uses SHA-1 in compliance with SCRAM. However, no mention is made of how to obtain the 'salt' and 'iterations' parameters from Couchbase. Which, I assume I need to go from the credentials to the challenge solution (i.e. hashed string)
So, the question is as follows: how to get from the credentials (user="local:tweets", pass="pAss1") (from the example of the first link) to bG9jYWw6dHdlZXRzOnBBc3Mx?
Thanks in advance,
Thomas
SCRAM SHA-1 support is only for the Data (K/V) service and only through certain Couchbase SDKs which use the memcached binary protocol. The Java SDK does have support for SCRAM SHA-1.
The REST interface you appear to be using is N1QL's API. That does not support SCRAM SHA auth.
If you're looking to give some other application HTTP access, my recommendation would be to write a small Java app with Spring Boot or the like and use the Java SDK from there. Then you have complete control over how auth is done at the REST interface. A colleague wrote one of these just the other day. Note that even in this case, the Java SDK won't be using SCRAM when running N1QL queries, but you can use that as a point of control.
I want to integrate keycloak security features to my spring boot based rest apis.
I am using KeyCloak 1.3.1 Final.
Now this is pure rest based api and am doing my testing through postman
I have got my rest api secured and when i try to access it do asks me for authorization, but am not able to execute my request. basically am locked out of my api.
I will quickly list out things that I have already done
Created a spring boot rest api and tested it. It works fine.
Modified my gradle for KeyCloak and configured it as per this document
Configured my keyCloak for the "bearer only" application
I tried to generate access token, but I was not able to. Therefore I created another Client in keycloak with "confidential" and used this client to generate the access token (both the clients were pointing to same application. Am not sure if this is correct)
With this access token, I am trying to make api call but am getting 401
Again am using this document.
I am new to both keycloak and spring.
So what I want to ask here is how can we generate the access token for testing a rest api in a scenario like one which is here.
Any useful resource on KeyCloak that can help me out here. As of now I dont have a clue as to where the problem is? Is it with my api or with how I have configured the KeyCloak.
Also since I am new to spring and I just could not found a decent document on how to configure cloak for spring boot. If you can help with that as well.
Moving further on this I was informed on the KeyCloak mailing list that spring boot adapter only supports basic authentication, and so I decided to incorporate the spring security adapter itself.
I did that and when am running the application and providing creds am still not able to make it work. However something interesting is happening. I am being redirected to http://127.0.0.1:8090/sso/login
I double checked it and that is not the redirect url i have provided.
???
Any idea why?
(Once again am new to it and learning about spring and security on way through this project. So please bear with me.)
So after spending quite a good amount of time and getting some help from keycloak user list here is how i got it to work.
Use Spring Security instead of spring boost security adapter (as I have already mentioned in the the edit, boot adapter is only for basic authentication)
There documentation does a decent job of explaining out everything else refer to that.
I am still testing the whole thing and will document it out for future references.