WSO2 API Manager and OAuth 1a signature verification - rest

I am trying to integrate with a commerce platform called AppDirect. Every request AppDirect sends to my REST API service will be signed with an OAuth 1a signature. AppDirect does not use OAuth access tokens. Also, AppDirect provides the OAuth consumer key and consumer secret. See - https://docs.appdirect.com/developer/apis/billing-api-guide/oauth-credentials#validating-requests-from-appdirect for details.
I want to use WSO2 API Manager to perform signature verification, but I cannot find a way to enter AppDirect's key and secret into API Manager for signature verification. Is there a way to do this without writing custom code?

Related

WSO2 Apim validate JWT token

I have a SPA (angular) application that connects users with Azure AD B2C. The application then obtains a JWT. The application (SPA) must then consume APIs behind WSO2 APIM. I want to have the JWT validated by Wso2 APIM.
SPA --> AZUREADB2C
SPA <-- AZUREADB2C (JWT)
SPA --> APIM (Validate JWT) --> Backend API
Should I create a custom key manager in APIM? or is there another setting?
You should be able to use the JWT Bearer Grant[1] for this purpose.
Basically, you will have to add Azure AD as an IdP in APIM and configure a service provider. Then you can obtain a token from APIM after validating your JWT and use that to access the APIs.
[1] - https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/jwt-grant/#jwt-grant
WSO2 API Manager provides two ways to cater this requirement.
If you want to validate the token directly generated from Azure AD
It needs to be configured as key manager from Admin portal. WSO2 API Manager does not have out of the box support to configure Azure AD as key manager. (It supports WSO2 IS, KeyCloak, PingFederate, Okta and Auth0 OOTB).
You can write custom key manager implementation and deploy it in API Manager to cater this requirement. The steps to write custom key manager is explained here.
User authentication with token exchange approach
WSO2 API Manager supports OAuth 2.0 Token Exchange grant type (From APIM 4.1.0 onwards) to exchange JWT tokens generated by external Authorization servers for APIM token.
For this, you need to add Azure AD as a Key Manager as mentioned in this doc and exchange the JWT token generated from Azure AD for APIM token. This method requires some modification in the SPA.

How to Configure OAuth2 Authentication for Apache Kafka Cluster using AZURE AD

due to the lack of INTROSPECT_ENDPOINT in azure AD, I am unable to validate the token.
How to validate the Azure Access token in Java?
Usually, the ADAL or the MSAL SDK will take care of it. But, you can still manually validate the access token you get. Here is the official tutorial: Validating tokens.
In summary, there would be 3 steps:
Get the kid in token header, and the tid in token payload.
Get all sign keys from https://login.microsoftonline.com/{tid_here}/discovery/v2.0/keys, and find the key with kid
x5c in the key is the public certificate. You can use it to verify the signature of a token.

OneLogin + SAML + SCIM

I'm integrating a service with OneLogin. In particular, need to implement SAML-P login AND SCIM v2 endpoint in a multi-tiered .NET application, which is using Windows Identity Foundation behind the scenes.
Both SCIM v2 and SAML-P work fine independently, however I'm having issues combining these two in the same SP record OneLogin-side, because of signing options:
It is possible to get OneLogin to sign just SAML assertion in a SAML response. This is what WIF wants to see, and this is what "SAML Test Connector (IdP)" template of OneLogin does.
"SCIM Provisioner with SAML (SCIM v2)" template however signs the whole SAML response, and not just the assertion, and WIF does not like that, complaining about unsigned SAML assertion.
Neither template has a visible option to configure what is signed, that would be similar to what Azure AD SAML configuration has (e.g. https://i.stack.imgur.com/f9kFf.png ).
Is there a way to change SCIM template to sign just the assertion (or response + assertion), similar to what "SAML Test Connector (IdP)" does?

Validate oAuth 2 access token in APIGEE without VerifyOAuthTokens policy

We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha
Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.

Request token from ACS with AAD JWT token

I have a native app registered in AAD and I've added it in ACS as identity provider. Now I would like to use the JWT token issued from AAD to request a token from ACS for service bus. I checked out this article: How to: [Request a Token from ACS via the OAuth WRAP Protocol][1]
[1]: https://msdn.microsoft.com/en-us/library/azure/hh674475.aspx#BKMK_1 and it lists three ways of requesting token from ACS: Password, SWT and SAML. I'm wondering if it's supported or there's any example of requesting by using JWT token.
As such ACS capabilities are being moved to Azure active directory and AAD will soon be the one service for all authn/authZ and ACS will be sunset. So you need to follow the process or registering your app in AAD and then how to manually handle the JWT token response on successful authentication of request from the client application. It uses json web token handler.
Refer the sample here. AAD JWT token handler sample
Of course this is a sample with web api and you have to modify as per your application.