call back for access tokenI am searching for a solution to implement passport jwt authetication strategy for hyperledger composer REST API. I have followed this link for setting up passport authetication https://www.codementor.io/gangachris125/passport-jwt-authentication-for-hyperledger-composer-rest-server-jqfgkoljn.
Generating hyperledger composer API,creating composer rest server docker container , API's are protected everything seems working except the access token generation , how to retrieve that token.
Also i created another nodejs application with passport jwt, mongodb with few users added. I was able to succesfully generate token from that application and protect any express routes using that token.
But my struggling point is how to generate token for the composer rest server API
As explained in many articles i have created custom jwt , environment varibales as follows
custom jwt
const passportJwt = require('passport-jwt');
const util = require('util');
function CustomJwtStrategy(options, verify) {
options.jwtFromRequest = passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken();
passportJwt.Strategy.call(this, options, verify);
}
util.inherits(CustomJwtStrategy, passportJwt.Strategy);
module.exports = {
Strategy: CustomJwtStrategy
};
Environment variables
COMPOSER_CARD=admin#tutorial-network
COMPOSER_NAMESPACES=never
COMPOSER_AUTHENTICATION=true
COMPOSER_MULTIUSER=true
COMPOSER_PROVIDERS='{
"jwt": {
"provider": "jwt",
"module": "/home/composer/node_modules/custom-jwt.js",
"secretOrKey": "admin",
"authScheme": "saml",
"successRedirect": "/",
"failureRedirect":"/"
}
}'
COMPOSER_DATASOURCES='{
"db": {
"name": "auth",
"connector": "mongodb",
"host": "mongo"
}
}'
composer rest server logs on startup
Now from where should i generate the token, how to retrive that token so that i can capture and pass it in headers for the hyperledger composer business API's.
Please help with details.
You can use the token generated by node js. One thing you need to take care is you have to use same here "secretOrKey": "admin" customkey with which you are generating token in node js
Make request as shown in an image as you are using options.jwtFromRequest =passportJwt.ExtractJwt.fromAuthHeaderAsBearerToken(); . It will store the access_token in cookie. Then you can retrieve it from cookie for further use.
Related
Is there a built in way in .net core 3.1 to Verify that the JWT token present in the request has a Required Scope.
A sample of jwt data I already have from our Identity Server:
{
"user_id": "12345",
"scope": "test1"
}
I have already seen the article:
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore
But this is specific for azure-ad and it requires that the Scope claim is named "scp" instead of "scope".
Yes, you configure the authorization handler by defining various policies to control the access to your API based on the data provided in the access token.
See https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0 for more details.
Background
On the Google Kubernetes Engine we've been using Cloud Endpoints, and the Extensible Service Proxy (v2) for service-to-service authentication.
The services authenticate themselves by including the bearer JWT token in the Authorization header of the HTTP requests.
The identity of the services has been maintained with GCP Service Accounts, and during deployment, the Json Service Account key is mounted to the container at a predefined location, and that location is set as the value of the GOOGLE_APPLICATION_CREDENTIALS env var.
The services are implemented in C# with ASP.NET Core, and to generate the actual JWT token, we use the Google Cloud SDK (https://github.com/googleapis/google-cloud-dotnet, and https://github.com/googleapis/google-api-dotnet-client), where we call the following method:
var credentials = GoogleCredential.GetApplicationDefault();
If the GOOGLE_APPLICATION_CREDENTIALS is correctly set to the path of the Service Account key, then this returns a ServiceAccountCredential object, on which we can call the GetAccessTokenForRequestAsync() method, which returns the actual JWT token.
var jwtToken = await credentials.GetAccessTokenForRequestAsync("https://other-service.example.com/");
var authHeader = $"Bearer {jwtToken}";
This process has been working correctly without any issues.
The situation is that we are in the process of migrating from using the manually maintained Service Account keys to using Workload Identity instead, and I cannot figure out how to correctly use the Google Cloud SDK to generate the necessary JWT tokens in this case.
The problem
When we enable Workload Identity in the container, and don't mount the Service Account key file, nor set the GOOGLE_APPLICATION_CREDENTIALS env var, then the GoogleCredential.GetApplicationDefault() call returns a ComputeCredential instead of a ServiceAccountCredential.
And if we call the GetAccessTokenForRequestAsync() method, that returns a token which is not in the JWT format.
I checked the implementation, and the token seems to be retrieved from the Metadata server, of which the expected response format seems to be the standard OAuth 2.0 model (represented in this model class):
{
"access_token": "foo",
"id_token": "bar",
"token_type": "Bearer",
...
}
And the GetAccessTokenForRequestAsync() method returns the value of access_token. But as far as I understand, that's not a JWT token, and indeed when I tried using it to authenticate against ESP, it responded with
{
"code": 16,
"message": "JWT validation failed: Bad JWT format: Invalid JSON in header",
..
}
As far as I understand, normally the id_token contains the JWT token, which should be accessible via the IdToken property of the TokenResponse object, which is also accessible via the SDK, I tried accessing it like this:
var jwtToken = ((ComputeCredential)creds.UnderlyingCredential).Token.IdToken;
But this returns null, so apparently the metadata server does not return anything in the id_token field.
Question
What would be the correct way to get the JWT token with the .NET Google Cloud SDK for accessing ESP, when using Workload Identity in GKE?
To get an IdToken for the attached service account, you can use GoogleCredential.GetApplicationDefault().GetOidcTokenAsync(...).
I have a requirement to import reports/dashboards from Jasper Server to our web application which is secured by Keycloak. I have struggled a bit to integrate Jasper Server v7.1.0 with Keycloak 2.0.0Final but I am not able to get a Visualize.js session using Keycloak access tokens.
Both applications are registered under the same Keycloak client, therefore a SSO token is theoretically enough to authenticate to both applications (Our app and Jasper Server).
How do we include the token type as bearer in Visualize.js when authenticating?
Something like:
visualize({
server: "http://localhost:8080/jasperserver-pro/",
auth: {
token: keycloak.token
headers: {
Authorization: "Bearer"
}
}
}, function (v) {
console.log("LOGGED IN ");
}, function (err) {
console.log(err.message);
});
Use pre-auth mechanism where the service layer should construct a pre-formatted token that should be sent as a part of the header using Visualize.js.
JasperReports Server needs to be configured to support this solution.
I would like to know if it is possible to use passport-http to secure the REST API of Hyperledger Composer generated with the composer-rest-server and what would be the export COMPOSER_PROVIDERS='{}' configuration.
The idea is to use the identities previously generated and assigned to participants with the composer to authenticate the GET and POST requests on the API.
If it were possible, how would the userID and userSecret be passed, as a special http header, in the body or as a simple basic auth header?
I've not tried, but it should be able to. The Composer REST server uses the open source Passport authentication middleware, its a matter of configuration. Multiple Passport strategies can be selected, allowing clients of the REST server to select a preferred authentication mechanism.
The strategy for passport-http is here -> https://github.com/jaredhanson/passport-http
You can try something like:
export COMPOSER_PROVIDERS='{
"basic": {
"provider": "basic",
"module": "passport-http",
"clientID": "REPLACE_WITH_CLIENT_ID",
"clientSecret": "REPLACE_WITH_CLIENT_SECRET",
"authPath": "/auth/local",
"callbackURL": "/auth/local/callback",
"successRedirect": "/",
"failureRedirect": "/login"
}
}'
I assume you know how to configure your passport-http strategy.
and check out RESTful Node.js Application with passport-http - and see an example (right near the end) of an app consuming REST Endpoints right near the end.
i'm trying to make a request to orion broker using REST Client, for example a NGSI10 queryContext with a payload like this one:
{
"entities": [
{
"type": "*",
"isPattern": "false",
"id": "Sevilla:01727449"
}
]
}
and I always receive the same result:
Auth-token not found in request header
The orion context broker that i´m using is fi-ware lab context broker and I want to know how to make a authorized request to this CB using REST Client, if it is possible.
Thanks
The Orion instance at FI-LAB uses OAuth authentication. Thus, you need to include a valid X-Auth-Token HTTP header in your requests to Orion.
Your application should implement OAuth and negotiate with the security framework a valid token for that. However, for debug or quick testing you can use the following shell script in order to get a fresh X-Auth-Token:
https://github.com/fgalan/oauth2-example-orion-client/blob/master/token_script.sh
The script will ask you your FI-LAB user and password.
Please, have a look to https://wiki.fi-ware.org/Publish/Subscribe_Broker_-_Orion_Context_Broker_-_User_and_Programmers_Guide#FI-LAB_context_management_platform to get more detail on Orion FI-LAB deployment.
EDIT: the recently published Orion Quick Start guide also includes an example on how to use the token_script.sh script that can be useful.