Vault supports logging in using a JWT. I have a proxy in front of my Vault instance which manages an OIDC flow and injects a JWT as a bearer token in the Authorization header.
Instead of being presented with the Vault login screen, it would be convenient if Vault could parse the Authorization header and automatically log me in -- is this possible?
I know Vault supports Vault tokens in the Authorization header, but since I access my other dashboards using this JWT, it would be powerful for Vault to also interpret it.
As far as i know: no, not in the usual way with http-header authorization.
Vault would accept the jwt-token from oidc for login if the jwt-token comes as body/payload in json like this:
POST /v1/auth/jwt/login
{"jwt":"YOUR.JWT.TOKEN"}
Like written in vault docs:
curl --request POST \
--data '{"jwt": "YOUR.JWT.TOKEN", "role": "demo"}' \
http://127.0.0.1:8200/v1/auth/jwt/login
As header vault accepts the http-header X-Vault-Token: s.XYZYXr3kuxR4, which is a vault-token and not the oidc-jwt-token
Related
Added a custom claim by navigating to WSO2 v5.11 IS console and navigating to Claims -> Add -> Add Local Claim. as shown below
New User created in WSO2 and profile updated with custom claims as shown below
Invoke published end point from Java client to get the JWT Token from request headers as shown below.
jWTToken = httpRequest.getHeader("X-JWT-Assertion");
JWT Token retrieved successfully from request headers.
After decoding the token we are seeing only default claims not the custom claims.
We are expecting the JWT token should return custom claims along with default claims.
Is there any configuration required in WSO2 5.11.0 to get the custom claims with JWT token?
Environment
WSO2 IS 5.11.0
WSO2 API Manager 4.1.0
Expectation
JWT Token should return custom claims
If you want to add the custom claims to your generated JWT tokens, you need to mark the claims in the service provider configuration as mandatory of the particular application you are using to generate the token.
Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
Then you need to add the openid scope when invoking the token endpoint.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
Refer https://apim.docs.wso2.com/en/latest/design/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
Then the custom claim will be added to the token, and will be passed to the generated backend JWT token as well.
I'm running an eks cluster, installed k8s dashboard etc. All works fine, I can login in the UI in
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login
Is there a way for me to pass the token via the url so I won't need a human to do this?
Thanks!
Based on official documentation it is impossible to put your authentication token in URL.
As of release 1.7 Dashboard supports user authentication based on:
Authorization: Bearer <token> header passed in every request to Dashboard. Supported from release 1.6. Has the highest priority. If present, login view will not be shown.
Bearer Token that can be used on Dashboard login view.
Username/password that can be used on Dashboard login view.
Kubeconfig file that can be used on Dashboard login view.
As you can see, only the first option bypasses the Dashboard login view. So, what is Bearer Authentication?
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources:
You can find more information about Baerer Authentication here.
The question now is how you can include the authentication header in your request. There are many ways to achieve this:
curl command - example:
curl -H "Authorization: Bearer <TOKEN_VALUE>" <https://address-your-dashboard>
Postman application - here is good answer to set up authorization header with screenshots.
reverse proxy - you can be achieve this i.e. by configuring reverse proxy in front of Dashboard. Proxy will be responsible for authentication with identity provider and will pass generated token in request header to Dashboard. Note that Kubernetes API server needs to be configured properly to accept these tokens. You can read more about it here. You should know, that this method is potentially insecure due to Man In The Middle Attack when you are using http.
You can also read very good answers to the question how to sign in kubernetes dashboard.
I trying to use GCS "User Credentials" to connect to Google cloud storage using libcurl library.
"User Credentials" authentication needs Client Id & Secret key to connect to GCS, but in this process Authentication Code also needs to be generated.
I need to generate this Authentication code using cURL.
Can anyone help me ??
The Client ID you mentioned is the same as the Authentication ID and can only be generated from either the Cloud Console's Credentials Page or via the OAuth 2.0 Playground.
If you are trying to generate an Access Token (OAUTH2_TOKEN), you will need to complete an authentication flow to authorize requests as a user. Cloud Storage uses OAuth 2.0 for API authentication and authorization.
Here's what you need to do to get an authorization access token from the OAuth 2.0 Playground:
Select & authorize APIs (Cloud Storage)
Select the scope for the APIs you would like to access or input your own OAuth scopes, e.g.: https://www.googleapis.com/auth/devstorage.read_write
Then click the "Authorize APIs" button
Once you've got the Authorization Code click the "Exchange authorization code for tokens" button, you will get a refresh and an access token which is required to access OAuth protected resources.
Grab the Access Token to use in your cURL command
Then configure your request to Cloud Storage API by constructing your HTTP request like so (upload):
curl -X POST --data-binary #[OBJECT_LOCATION] \
-H "Authorization: Bearer [OAUTH2_TOKEN]" \
-H "Content-Type: [OBJECT_CONTENT_TYPE]" \
"https://www.googleapis.com/upload/storage/v1/b/[BUCKET_NAME]/o?uploadType=media&name=[OBJECT_NAME]"
You can have a look at this Cloud Storage upload example in our public docs to guide you with constructing a request and testing it out.
Hope this helps.
Postgrest APIs can be secured through inbuilt JWT tokens or through a third party service like Auth0, Okta or Keycloak (http://postgrest.org/en/v5.0/install.html)
We want to consume JWT provided by a Keycloak only , but there is very limited document available.
Can anybody guide me how can I secure postgrest apis through keycloak ?
thanks
UPDATE: Simple method with curl examples
Install keycloak, add realm and client
get the keys
curl https://$KEYCLOAK_URL/auth/realms/$REALM/protocol/openid-connect/certs
copy the first element of the keys array and use it in the postgrest configuration for the jwt-secret variable
use .preferred_username as the value of role-claim-key in postgrest configuration
Assuming you 've done the above you can test your installation:
Get token
curl -X POST https://$KEYCLOAK_URL/auth/realms/$REALM/protocol/openid-connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$CLIENT"
Use the access_token element of the reply for your requests to postgrest
curl -H "Authorization: Bearer $ACCESS_TOKEN" $POSTGREST_URL/your_table
There are several ways to do it, I'll just describe one:
Set up keycloak to pass the claims you want in the token. ( Probably you would want a claim of type "role": "username" )
Get the key keycloak is using and pass it in the jwt-secret section of the postgrest configuration
Set up a web server to communicate with keycloak and get the tokens.
Pass the token to the browser
Use the token to access postgrest
Details
In keycloak admin console go to: /#/realms/<realm name>/clients/<client id>/mappers and set the claims you want
In keycloak admin console at #/realms/<realm name>/keys you can get your rsa public key, translate it to jwk format and save it to the postgrest configuration. In order to translate it to jwk
Translate it to pem format by enclosing it in -----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Translate it to jwk format. A nice tool pem-jwk
There are infinite options. A node js example: https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example that uses the keycloak-connect package
You can read the token at req.kauth.grant and place it at a hidden field of the html you send to the browser
From the browser read the token and place it at the authentication header with the bearer prefix. If you use axios:
axios({
method: 'get',
url: 'your url',
headers: { 'authorization': `Bearer ${token}` }
})
Currently in Kubernetes you can make use of the webhook authorization to build a custom authorization endpoint using certificates. In reading the doucmentation it looks like if I wanted to use a bearer token there is no way to use the webhook, I have to use point Kube to a csv file with the --token-auth-file argument.
The downside with that is that requires a restart of the api server to pick up the changes. Is there a dynamic way to use bearer tokens instead?