I'm trying to use Cognito authorization with calling API Gateway function from Javascript. My setup is Chalice framework for API Gateway/Lambdas and the Cognito Built-In sign-in page.
For the built-in sign-in page I set response_type=token and then I copied the token I got back with id_token and tried pasting it into the Test Authorizer in API Gateway and it returns "Unauthorized request". Should this work?
Related
I'm trying to get the Tenant.Read.All and Tenant.ReadWrite.All scopes when authorizing with the PBI REST API but I can't figure it out. I can get a token using Postman that contains every other scope but the two required for Admin calls to the API. I'm not using a service principal, just signing in when Postman gets a new token.
While making a basic http calls from “Keycloak” to “Azure ADB2C” to retrieve a token as a response from AD B2C.
The current flow looks like this. For a Java web application which is integrated with the ‘Keycloak’ as an identity broker, and from the ‘Keycloak’ we have integrated with ‘Azure AD B2C’ as an identity provider for user authentication and to send the token response back to the keycloak request.
Use case 1: We have integrated a Azure ADB2C signin user flow endpoint in keycloak, which is sending the SignIn requests to b2c and retrieving the token as a response from Azure b2c is fine.
Use case 2: Have a blocker in this use case, While making a basic http header call from ‘Keycloak’ to “Azure AD B2C’, we are seeing an error code in the ‘keycloak’ logs as ‘Invalid_grant’, invalid_secret and ‘Invalid_credentials’ upon different calls passing from keycloak. And upon verifying in Azure ADB2C side, we haven’t found any logs for above request from ‘Keycloak’.
Is there any workaround or any changes has to be made In keycloak to handle a basic http calls to Azure ADB2C?
Thank you!!
For client to client calls, Azure AD B2C supports client_credntial flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
You can send the client_id and client_secret parameters in a Basic Authentication header.
We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha
Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.
I have a native app registered in AAD and I've added it in ACS as identity provider. Now I would like to use the JWT token issued from AAD to request a token from ACS for service bus. I checked out this article: How to: [Request a Token from ACS via the OAuth WRAP Protocol][1]
[1]: https://msdn.microsoft.com/en-us/library/azure/hh674475.aspx#BKMK_1 and it lists three ways of requesting token from ACS: Password, SWT and SAML. I'm wondering if it's supported or there's any example of requesting by using JWT token.
As such ACS capabilities are being moved to Azure active directory and AAD will soon be the one service for all authn/authZ and ACS will be sunset. So you need to follow the process or registering your app in AAD and then how to manually handle the JWT token response on successful authentication of request from the client application. It uses json web token handler.
Refer the sample here. AAD JWT token handler sample
Of course this is a sample with web api and you have to modify as per your application.
I'm using next API for getting oauth token:
/oauth/authorize?client_id=openshift-challenging-client&response_type=token.
I get token, but it is not working then I do requests to some Openshift REST urls like /oapi/v1/nemespaces/namespace/routes.
The token work if I add it into oapi/v1/oauthaccesstokens by hands.
How can I do this automatically ?
Version
OpenShift Master:v1.2.0
Kubernetes Master:v1.2.0-36-g4a3f9c5
The token returned from the /oauth/authorize endpoint is created under /oapi/v1/oauthaccesstokens before being returned. Can you provide the request/response where you obtain the token, and where you attempt to use it against the API?