I have a grails 3 application where authentication is done by Siteminder. After the user is authenticated we should be able to generate a JWT token and using that other rest apis call be protected.
I have used RequestHeaderAuthenticationFilter to authenticate the request header. Can anyone help in integrating JWT token in this scenario.
Thanks is advance
I achieved it by using a custom token generator which is called after the request header authentication and saved the token in http response header. Created a custom rest token validation filter to validate the token in API calls
Related
I have an API http gateway (at say https://example.com) integrated with an API REST gateway which uses a Cognito authorizer. All of this to serve a single-page React application. The behaviour is as expected:
I launch the Cognito hosted UI and sign in,
It redirects to the url https://example.com/#id_token=123
If I use PostMan, I can access that url if I pass that id_token in the Authorization header.
Now my question is: how can I pass the header automatically after signing in so I can visit https://example.com?
I have spent a long time on this and have found many similar posts without an answer:
How to use the code returned from Cognito to get AWS credentials?
How can I link cognito token and API authentication header automatically?
AWS Cognito hosted UI returning id_token in URL
How can I make the redirect_uri of AWS Cognito (Hosted UI) authenticated?
Set Authorization header when redirecting client from Cognito to AWS API Gateway
How do I handle a Cognito auth redirect for a Lambda / API Gateway for UI?
We faced the same question a couple of years ago. Our solution was creating a proxy (using API Gateway and Lambda) that "moved" the id_token (stored in a cookie) to the Authorization header for every request to the server. It was ugly, but it worked.
BTW, getting id_token in the URL is how Implicit Grant works. But Implicit Grant is generally considered less secure than Authorization Code Grant. We have since migrated from Implicit Grant to Authorization Code Grant. However, we continue to use the proxy pattern (again using API Gateway and Lambda) as follows.
Exchange the returned code for access_token and id_token at the Cognito user pool's token endpoint. Store the tokens in a DynamoDB table with session_cookie as the partition key. Return the session_cookie as a cookie (with HttpOnly, Secure and SameSite=Strict) to the browser.
For each request from the browser, use the cookie to find the token in the DynamoDB table and put the token in the Authorization header.
Question
I got a problem with understanding some basic thing about auth0, probably someone can help me out.
In the tutorial SPA + API one of the first lines in the TDLR is this:
Both the SPA and the API must be configured in the Auth0 Dashboard
I dont understand why I need to configure the API on Auth0. My code seems to work so can anyone help me understand if I do something wrong or what the advantages are if I actually add a custom API in my dashboard?
Setup
SPA (React)
Auth0
REST API (ktor)
What I do
Created a SPA on Auth0
Login on my SPA through Auth0 to get a JWT (google token)
Sending the JWT as authentication bearer in my calls to the REST API
REST API verifies the JWT token with a JWK provider using the Auth0 url mydomain.eu.auth0.com/.well-known/jwks.json.
Authentication seems to work
Great question, I am assuming that your authentication request includes audience parameter which represents your custom API(Rest API)right now. In oauth2 terms, it is called Resource Server. Each resource server can have many permissions which you include in the scope when initiating the authentication request. Let's step back and talk about the token format. Auth0 issues token in two formats:
Opaque strings: When not using a custom API
JSON Web Tokens (JWTs): When using a custom API
https://auth0.com/docs/tokens/reference/access-token/access-token-formats#how-does-all-this-affect-the-token-format-
As explained above link, the token format depends on the audience (Custom API) parameter. Therefore, when the authentication request includes audience, auth0 issues JWT token with all necessary permission. Then, you need to validate the JWT token in your API server before returning the resources to your front end client.
It should make sense why you need to create custom API in auth0 and define permissions. If you do not create custom API in auth0, there is no way to know what kind of permission you need in the token which will generate an error(invalid audience specified)
I am using a custom grant on IdentityServer3 to allow for Windows Authentication to flow through from WinForm and WPF apps. I based my code on WindowsAuthentication plug in for IdSrv .
What I'm trying to figure out is how can I get the custom grant flow to return the id token. I'm already getting the access token and the refresh token.
I'm looking to the id token, so I can log the user out, once they are done using the applications.
Thanks
-marc
Token endpoint will only give you id_token when exchanging the authorization code obtained by using AuthorizationCode flow client throuh OpenID Connect Authorize endpoint. More info in the spec here http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
I am using laravel 5.1
I want to make login using REST api. I have searched about Sentry. But there is no documentation for Laravel 5. I don't know it will work with laravel 5. I just want to know what is the best way to login my laravel application using REST?
Laravel for Rest API development Good Choice
Even I am using it for Rest API development
For Login I am using a session field from database which acts as token for validating user accessing the API
so, if the request has the session token and it matches to the token from database then its a valid request
this approach is taken by me for validating request to my API, And every login I am resetting the token
How to create the token
Token should be able to identify the user i.e. which user is sending the token for that I am creating token by hashing userID + salt(Random and very long string).
How it works
User who is able to access the API sends login credentials, if the credentials are valid I am creating token for the user and storing the token in database with the user whose credentials are provided and sending the token value to the user as response and next time I am validating each request with the Access token
Recommendation
Instead of Laravel you can consider using Lumen(A micro-framework by Laravel) also for developing rest API.
For detailed information about rest and rest authentication
How to do authentication with a REST API right? (Browser + Native clients)
What exactly is RESTful programming?
What is REST? Slightly confused
RESTful Authentication
I'm logging my users in using SOAP in my app. But then I want to use Analytics API, which is REST. But I don't want them to enter their credentials all over again.
Is there a way that I can use my already obtained SOAP sessionId as the token for REST API?
When I tried to do that, I got an authentication error back from the REST call. Did I miss something or is it just not possible?
Yes its possible, just use the SOAP session Id in the same place you'd use a access token you'd gotten via OAuth, by adding a Authorization: Bearer {sessionId} HTTP header to your REST API requests.