Express JS - REST authentication and authorization - rest

I’m trying to setup authentication & authorization for my Express based Node JS, REST API with azure AD. I’m not sure if that is possible without 3rd party libraries like Auth0.
API will be invoked from both client side (react, angular) & server side(asp.net, RPA) applications. I’d appreciate if you can share some tips on the architecture, examples and where authentication and authorization can be done. I think authentication will happen in the front-end(????).
End of the day I need these apis to be invoked only by authorized applications, users and I should be able to identify user’s invoking these apis.

you can get your NodeJS apis protected with Azure AD. To achieve this, you can either use MSAL-Node or Passport-Azure-AD libraries. Once these APIs get protected by AAD, any front-end apps or back-end services calling your AAD protected APIs must fetch an access-token from AAD first and then use that access-token as bearer and call the AAD-protected APIs.
To get you started, you can refer to the following quickstart guides for both the libraries:
Quickstart guide for MSAL-Node: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-webapp-msal
Quickstart guide for Passport-Azure-AD: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-webapp

Related

Tensorflow Serving authentication

I'm using tensorflow serving version 2.2 on Docker with the client REST on Google Cloud Run, i would like to create some authentication method to improve the security.
How can I implement TF Serving with authentication ? I don't found references.
Cloud Run currently doesn’t have builtin support end-user authentication easily. You can use something like Firebase Auth with Cloud Run to authenticate interactive (browser) users.
However, it seems you have a REST API (headless requests). If you want to built authentication/authorization you pretty much have to build something like OAuth (also explained in the same link above).
If you are trying to just authenticate yourself, you can implement HTTP Basic Authentication (username:password, passed in a header).
You can add a authentication by linux firewall......

Granting service accounts access to AzureDevOps

I'm wondering what is the correct way to grant service accounts access to AzureDevOps. Ex: access to source code, API's, etc.
Since "Basic Authentication" was deactivated, I've been using personal access tokens but it seems awkward to login using a service account, generating the PAT, and so on. Also, since they are limited in time, we have to ensure renewal schedules/reminders for each connexions.
I am on the wrong track? Is there a more "natural" way to do it? Is SSH more adapted for this?
I've found this guide which helps but I can't find how (for example) granting a third-party application access to a project's repository.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PS: Service Connections and Service Hooks are not what I'm looking for.
What you are looking for probably is OAuth 2.0 Client Credentials Flow for Azure DevOps. Unfortunately Client Credentials Flow is not yet supported on Azure DevOps. See this thread Client Credentials Flow for Azure DevOps.
But, You can check out OAuth 2.0 auth code flow,which is now supported on Azure Devops. Please check out this detailed tutorial Authorize access to REST APIs with OAuth 2.0. This is an example to implement OAuth 2.0 auth code flow.
There are also Codes samples provided in above web link you mentioned in the question. You can checkout these samples to learn their authentication mechanism, and choose one that suits you most.

Apache Nifi: use OAuth 2.0 to Access Google Analytics APIs

I try to use OAuth 2.0 to Access Google APIs (Google Analytics API v4) in Apache Nifi.
I using Service Account basing on this document: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
There is one specific moment if using OAuth 2.0 for Service Account (Google API):
These service-account scenarios require creating and cryptographically signing JSON Web Tokens (JWTs).
The best example of OAuth access will be using NiFi + JWT:
Create a JWT
Request an access token from the Google OAuth 2.0 Authorization Server
Handle the JSON response from Authorization Server
Point 1 (about JWT) is most interesting.
Are there any examples of already implemented flows exactly For Google Analytics?
Thanks
I don't know of any specifically for Google Analytics, but there are plenty of examples of OAuth 1.0/2.0 access using Apache NiFi. In general, you will use the InvokeHTTP processor to perform GET/POST/etc. HTTP operations against the remote endpoint.
Without specifying an issue you are encountering, I would suggest you read these articles:
HCC: Using GetHTTP for Salesforce Integration with OAuth2.0 authentication parameter
OAuth 1.0A with Apache NiFi (Twitter API example)
How to set Twitter OAuth attributes to InvokeHttp processor for fetching twitter user profiles
NiFi OAuth 2.0 Template
Google Vision & Apache NiFi - Making Advanced Computer Vision Feasible

Azure mobile services + thinktecture identityserver v3

I'm trying to figure out how to integrate the identity server with azure mobile services for use from mobile clients. I already have the id server up and working barebones with a test aspnet mvc website using it via the openidconnect middleware.
I haven't found much info on how to do this with mobile services and I'm not exactly sure what the overall flow is as far as what talks to what first. Is it that the mobile client should call the id server directly posting the username password and getting a token and then set that token on the mobile user then, when calls are made to azure mobile service the token is then validated on a back channel from the service to the id server? Or how should it work?
I have already read the custom authentication docs on azure and found some azure team blogs on the subject but it seems like they are already out dated. Is there a way to simply insert the same openidconnect middleware into the azure pipe?
I'm hoping to get this ironed out because I have a number of web+native mobile (Xamarin) projects on the horizon and this would be the identity foundation for all of them.

Google Apps Marketplace API customerLicense with OAuth2

We are migrating our Google Apps Marketplace Apps to OAuth2 authentication.
We have figured out some of difference in migration process such as replace OAuth1 two-legged authentication with Service Account OAuth2 strategy to impersonate domain and perform some background task.
In our current OAuth1 apps we have some queries to customerLicense service to check if some domain removed our App from Marketplace.
I have seen this is not possible to do with OAuth2 by the moment. Is there any Service with Service Account OAuth2 that replace this mechanism to check customerLicense for a specific Application?
Since I am using only service account keys I have not found documentation about how to consume this API with these type of credentials. In fact documentation says only Oaurh two legged keys are able to consume this API.
Can you send me some link where I can read about consuming this API with service account Keys?
Best,
You should be able to use the same API with OAuth2. If there are any issues please let us know.