Token introspection considering token as not active - keycloak

I've keycloak 4.0.0 installed on two debian stretch machines. Those are configured in standalone clustered mode.
Both share a mysql cluster database instance and a load balancer is doing HA.
I've a code which needs to validate tokens against introspection endpoint put it's not working half of the time.
This is actually because load balancer is doing its job and consequently easy to reproduce:
ask a token on /auth/realms//protocol/openid-connect/token on server 1
call introspection endpoint /auth/realms//protocol/openid-connect/token/introspect to check the access token provided by the server 1 on server 2
If I call the introspection endpoint on server I've the json response I expect, but on server 2 I just have active: false.
This is quite strange because sessions are replicated on admin interface in "show sessions".
Any ideas ?
Thanks !
Rémi

I was facing the same issue.
for introspect api , try setting the host header.
For ex: when hitting /protocol/openid-connect/token api pass header "host: foo"
Now when hitting the protocol/openid-connect/token/introspect api set header "host: foo"

Related

Close proxy API access

Close proxy API access
Hi community,
Grafana 8.2.5
We have a Grafana system 8.2.5. He had a security audit, where the API access is criticized.
We have enabled an anonymous acess for users without login.
[auth.anonymous]
enabled =true
org_name = IT.NRW
org_role = Viewer
When I try to access the Grafana like:
curl http://<fqdn>:3000/api/datasources -> {"message":"Permission denied"}
curl http://admin:<password>#<fqdn>:3000/api/datasources -> a valid json object with the datasource etc....
But the security audit found also the access to the datasource proxy? API.
curl http://<fqdn>:3000/api/datasources/proxy/3/query?db=<db>\&q=SELECT+*+FROM+<ts>\&epoch=ms
So I can query with or without credentials ALWAYS the API.
Security audit: a Denial of Service (DoS) is possible, maybe some SQL injection.
I don't want discuss this topic here.
I have to close the access through the API. At least from other network segments.
Any hints?
Thanks in advance.
I'm a grafana beginner!
I do not complain, the security audit listed the two topics (DoS/SQL injection).
I didn't found any configuration possibilities (grafana.ini) about closing the proxy API interface (only data_source_whitelist-ing).
So, I added some rules into the NGIX config in front of the grafana server to
forbid the proxy API access -> throw 40x error.
Now the web UI is not able anymore to fetch and render the data in the UI.
My conclusion:
the grafana architecture define: the proxy API will be used by the web UIs.
with or without credentials: a user can fire a query (DoS) using the proxy API
with or without credentials: the query is pass through the proxy API to the datasource, potential sql injection is possible

Identity Server 4 API JWT, Load Balancing, Data Protection, Kubernetes,

Running into issues with multiple instances of IdentityServer4 on Kubernetes exposed by the load balancer. I dont think there is a issue with credential login, my issues are around JWT Tokens. Works fine when there is only 1 instance.
Overview:
IdentityServer4
MongoDB Data Storage
PersistedGrantStore
Data Protection setup on Redis
Multiple .Net Core 3.1 Web API. Using AddIdnetityServerAuthentication in start up passing in the connection and the API Name. I am running multiple instance of the API. Reducing down to 1 I still get the same issue. Works fine if there is only 1 instance of the Identity Server but multiple instances I get the following error on the API:
"Bearer" was not authenticated. Failure message: "IDX10501: Signature validation failed. Unable to match key:
I am not getting any errors or failed authentications on the IdentityServer logs.
So the questions going on in my head is, JWT token so in I believe the request should be validated by the token, i.e. the API should not be requesting info form the Identity Server? Identity Server has DataProtection setup running on Redis as its store, I can see its dropped info in there. I have persisted grants store, but tokens are not added.
Do I need to switch to resource vs JWT? What is likely overhead for that?
Are the tokens not getting shared between the API instances via Data Protection?
Thanks for any advice / suggestions.
In case anyone else comes across this. It was down to mistakenly leaving developer signing in the config of Identity Server. Replaced with a certificate solved the issue.
builder.AddDeveloperSigningCredential();
to
builder.AddSigningCredential(rsaCertificate);

Metaflow: "Missing authentication token" when accessing the metadata/metaflow service URL in the browser

I’m currently experimenting on Metaflow. I followed the documentation and was able to deploy an aws setup with the given cloud formation template.
My question is why is that I’m always getting a:
message: "Missing Authentication Token"
when I access METAFLOW_SERVICE_URL in the browser, even if I made sure that the APIBasicAuth was set to false during the creation of cloudformation?
Shouldn’t this setting make the metadata/metaflow service accessible without the authentication/api key?
How can I resolve this? Or is this expected? That is, I cannot really view the metadata/metaflow service url via browser?
Thanks in advance
This was resolved under this github issue.
You still need to set the x-api-key header if you are trying to access the service url via the browser. To get the api-key you can go to the aws console
Api Gateway -> Api Keys -> show api key
Alternatively you can use the metaflow client in the sagemaker notebook which should be automatically setup for you via the template.
Also worth mentioning that there are two sets of endpoints: The one provided by the api gateway (which you seem to be hitting) and the one provided by the service itself. The api gateway forwards the requests the the service endpoints but needs the x-api-key to be set in the header. You can probably try hitting the service endpoints directly since you disabled auth.

NIFI:Accessing rest api of kerberized nifi cluster

I want to use rest api( but i don't want to use curl command , i mean i want to use invokehttp procesor for making post commands to delete queue flowfiles and start/stop processor ) I used Autorization Bearer Token like this:
eyJhbGciOiJIUzI1LiJ9.eyJzdWIiOiJzLLRraGlsYWlzaHZpbGlAQ1JBLSd‌​LIiwiaXLzIjoiS2VyYmV‌​yb3LQcm92aWRlciIsImL‌​1ZCI6IStlcmJlcm9zUHJ‌​vdmlSZXIiLCJwcmVmZXJ‌​yZWRLdXLlcm5hbWUiOiJ‌​zLLRraGlsYWlzaHZpbGl‌​AQ1JBLSdLIiwia2lSIjo‌​1LCJleHAiOjE1MDQwMzA‌​2LTQsImlhdCI6MTUwMzS‌​4LzQ1LH0.VxxpvLQbGm3‌​H475g1yScvg5B89WSws3‌​lZUwBrUM4OvE
I have added autorization attribute in invokehttp and added link like this https://server ip/nifi-api/acess/token after this i have added another invokehttp with post command and url like this :https://server ip/nifi-api/flowfile-queues/{id}/drop-requests ( p.s i want to clear queue from flowfile) but first invokehttp shows me exceptions like this :Socket timeout exception and there are several subject i am interested in :
Is it possible that my user doesn't have access to berer token and that's why socket timeout happens? if it is how can i checke this.
if i have secured nifi is it possible to use invokehttp processor without ssl context service to fulfill this accsess/token operation?
Do you have any better idea to rest api without bearer token
except using ssl context service?
socket timeout is a physical error not linked to auth
when auth is activated for nifi then you must use ssl context to access nifi-api
no. if auth activated on server side then client have to pass it.

spring cloud consul discovery acl for catalog services

I have ACL on for Consul, and have tried many ways to specify the token to use for service discovery. The config ACL token works fine, and the discovery ACL token works for registration (I can see my services in the Consul UI). I see the code for AgentConsulClient.agentServiceRegister() supports the token with this:
UrlParameters tokenParam = token != null ? new SingleUrlParameters("token", token) : null;
Nothing similar is supported in CatalogConsulClient, as far as I can tell. When called from Spring Cloud's ConsulDiscoveryClient, no token is passed, regardless of how it is set. Logs show the call being made without the token, and getting back a valid response with none of the registered services listed. I don't see how to have ACL on for registration but off for discovery. What am I missing? Is nobody actually using ACL if using discovery? (It works fine in the development environment with no ACL). Do I need to edit the source to add the token support from the agent service to the catalog service? Has anybody had success doing that?
BTW, could not tag this with spring-cloud-consul. Add it if you can.
ACL support for Consul catalog services is in consul-api v1.1.11 and will be (I hope) part of spring-cloud-consul 1.0.3.RELEASE. The 1.0.2.RELEASE version still uses consul-api-1.1.10. Update: confirmed to be in Camden.SR3.
Gradle:
'com.ecwid.consul:consul-api:1.1.11',
'org.springframework.cloud:spring-cloud-consul-dependencies:1.0.3.RELEASE'