I have a rest api which is being called by Azure AD B2C(through technical profile in Custom policy).
I need to secure the api.But as it is being called by Azure BEFORE Authentication(basically it only needs to check if the email already exists in database or not in sign in flow), it doesn't have Authorize attribute.
I have ClientCertificate AuthenticationType, configured in the custom policy for this REST API in the metadata of the technical profile, following this document
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api
So basically my metadata looks like this:
<Metadata>
<Item Key="ServiceUrl">https://your-account.azurewebsites.net/api/GetProfile?code=your-code</Item>
<Item Key="SendClaimsIn">Body</Item>
<Item Key="AuthenticationType">ClientCertificate</Item>
<Item Key="AllowInsecureAuthInProduction">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="ClientCertificate" StorageReferenceId="B2C_1A_RestApiClientCertificate" />
</CryptographicKeys>
But when I call the rest api from the browser, it is still accessible.
I am not sure if I missed something, but isn't this process supposed to secure your api so only Azure can call it?
The REST API mutually needs to be authenticated with the client certificate. Configuration Client certificate in the custom policy needs to be validated near the REST API also right.
You can secure back-end services using client certificate authentication in Azure API Management or you can configure client certificate authentication in the code
Related
I have a SPA (angular) application that connects users with Azure AD B2C. The application then obtains a JWT. The application (SPA) must then consume APIs behind WSO2 APIM. I want to have the JWT validated by Wso2 APIM.
SPA --> AZUREADB2C
SPA <-- AZUREADB2C (JWT)
SPA --> APIM (Validate JWT) --> Backend API
Should I create a custom key manager in APIM? or is there another setting?
You should be able to use the JWT Bearer Grant[1] for this purpose.
Basically, you will have to add Azure AD as an IdP in APIM and configure a service provider. Then you can obtain a token from APIM after validating your JWT and use that to access the APIs.
[1] - https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/jwt-grant/#jwt-grant
WSO2 API Manager provides two ways to cater this requirement.
If you want to validate the token directly generated from Azure AD
It needs to be configured as key manager from Admin portal. WSO2 API Manager does not have out of the box support to configure Azure AD as key manager. (It supports WSO2 IS, KeyCloak, PingFederate, Okta and Auth0 OOTB).
You can write custom key manager implementation and deploy it in API Manager to cater this requirement. The steps to write custom key manager is explained here.
User authentication with token exchange approach
WSO2 API Manager supports OAuth 2.0 Token Exchange grant type (From APIM 4.1.0 onwards) to exchange JWT tokens generated by external Authorization servers for APIM token.
For this, you need to add Azure AD as a Key Manager as mentioned in this doc and exchange the JWT token generated from Azure AD for APIM token. This method requires some modification in the SPA.
I'm wondering what is the correct way to grant service accounts access to AzureDevOps. Ex: access to source code, API's, etc.
Since "Basic Authentication" was deactivated, I've been using personal access tokens but it seems awkward to login using a service account, generating the PAT, and so on. Also, since they are limited in time, we have to ensure renewal schedules/reminders for each connexions.
I am on the wrong track? Is there a more "natural" way to do it? Is SSH more adapted for this?
I've found this guide which helps but I can't find how (for example) granting a third-party application access to a project's repository.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PS: Service Connections and Service Hooks are not what I'm looking for.
What you are looking for probably is OAuth 2.0 Client Credentials Flow for Azure DevOps. Unfortunately Client Credentials Flow is not yet supported on Azure DevOps. See this thread Client Credentials Flow for Azure DevOps.
But, You can check out OAuth 2.0 auth code flow,which is now supported on Azure Devops. Please check out this detailed tutorial Authorize access to REST APIs with OAuth 2.0. This is an example to implement OAuth 2.0 auth code flow.
There are also Codes samples provided in above web link you mentioned in the question. You can checkout these samples to learn their authentication mechanism, and choose one that suits you most.
I'd like to use some of the more advanced features of the REST Dataset in Azure Data Factory (mainly pagination), but I can't see where to use Certificate Authentication. I have an HTTP Dataset working well with Certificate Authentication, but the only options seem to be:
Anonymous
Basic
AAD Service Principal
Managed Identity
Is there some way to use the AAD Service Principal or Managed Identity with a certificate? Maybe I can do this using the Advanced settings?
The docs say that the HTTP connector is "less functional comparing to REST connector" but this seems to be a pretty big omission from the REST version.
Is there some way to use the AAD Service Principal or Managed Identity
with a certificate? Maybe I can do this using the Advanced settings?
SP and MI can't be applied for the certificate authentication, for AAD instead. please refer to this simple blog.
Based on the REST Connector document,it only supports above 4 types of authenticate options. If you want to carry certificate with request,please use HTTP connector.
I am trying to test wso2 if I can turn my soap to rest api. I follow the tutorial on youtube video call "Creating a REST API with a SOAP Back end with WSO2 API Manager". First I give full working wsdl link and I test it and get information that my wsdl is valid. But in API definition I couldnt see all my operation POST. But I continue to follow the video and subscribe my work. But I couldnt work or delete my work on store becuse I keep getting "How can I delete API as active subscriptions?" eror. How can I delete my api from active subscriptions?
Update:
The content the WSDL is saved as a resource in the /system/governance/apimgt/applicationdata/wsdls registry location. API artifacts have a dependency to this resource. Its original service address is reset to the API Gateway's address to prevent direct calls to the service endpoint. The registry permalink of the WSDL resource is shown in the API Store and users can download and create a service out of it.
How can I download and create a service my self?
Update:
In the API Subscribe secon on below under the POST I get this information, why XML cannot be generated?
<?xml version="1.0" encoding="UTF-8"?>
<!-- XML example cannot be generated -->
Wanted to make rest calls, i found there are two ways of authentication.
Method 1. Upload a self-signed ssl certificate and authenticate through certificate and subscription id.
Method 2. Use access token (Bearer ey...) which is obtained from making oauth2 call.
Which method is best way to do?
You should go with Method 2 for many reasons:
Method 1 is the old way and will only work with authenticating Service Management API requests where as Method 2 is the new way and will work with authenticating both Service Management API and Azure Resource Manager API requests.
Azure is moving away from Service Management API and is moving towards Resource Manager API which only supports Method 2. In fact, wherever possible use Resource Manager API instead of Service Management API. Only use Service Management API when there's no Resource Manager API equivalent.