Our OAuth 2.0 server expects the client credentials for the auth-code-to-token exchange to be in a Basic HTTP Auth header, a common strategy detailed in the OAuth 2.0 RFC. Is there a flag that can be set on our account to enable this?
It does not appear we are exposing this setting via the Actions Console, but we do support this for properly configured clients.
I have reached out to the team responsible for Actions Console and will update this answer with instructions once we support this option.
We are also facing similar issue. Our OAuth 2.0 server expects client credentials should be coming in Basic HTTP Auth header, but looks like from the Actions console it is coming as a part of request body. As you have mentioned that provision is there in your infrastructure, so if you can have that provision in Actions console as well to send client credentials in Basic Auth header it would be great !
Related
I'm building a microservice based REST API and a native SPA Web Frontend for an application.
The API should be protected using OAuth2.0 to allow for other clients in the future. It should use the Authorization Code Flow ideally with Proof Key for Code Exchange (PKCE)
As I understand it I need to run my own OAuth Auth Server that's managing the API Clients and generating access tokens, etc.
Also I need my own Authentication/IAM service with it's own fronted for user login and client authorization granting. This service is the place the users login credentials are ultimately checked against a backend. That last part should be flexible and the backend might be an LDAP server in some private cloud deployment.
These components (Auth Server and IAM servicve) are outside of the OAuth scope but appear, correct me if I'm wrong, to be required if I'm running my own API for my own users.
However creating these services myself appears to be more work than I appreciate besides the obvious security risks involved.
I read about auth0 and okta but I'm not sure if they are suited for my use case with the application potentially deployed in private cloud.
I also thought about running Hydra (OAuth Server) and Kratos (IAM) by ory but I'm not sure if this is adding too many dependencys to my project.
Isn't there an easy way to secure an API with OAuth that deals with the Auth Server and the IAM that's good for small projects?!
We are currently evaluating the possibilities of keycloak since we need to replace a custom SSO solution. This requires us to connect to external IDPs which we already connected to.
Currently I am investigating an OpenID-Connect Provider which is authenticating the clients via POST using client_id and client_secret as parameters. Additionally, its API is secured with a basic authentication via the Authorization header. Whilst the first part is no problem, I have not found a solution to overcome the additional basic authentication with the available default configurations (using a user-defined OpenID Connect V1.0 provider). Vice versa, I can overcome the basic authentication, but then will miss the client_id and client_secret parameters which results in an error of the IDP not returning an access token.
Is there a way to resolve this issue? If not via default options, is there an option to add custom IDPs which can be configured in the backend? I saw the SPIs in the developer documentation (https://www.keycloak.org/docs/latest/server_development/#_providers) but I am not sure if one of those suits our needs.
Is there a way to use Basic authentication rather than AWS4-HMAC-SHA256 authentication with the AWS API Gateway Service? I need to support a system that only supports webhook calls with Basic Authentication.
You just need to modify the 401 Unauthorized response template so that it contains the WWW-Authenticate header set to 'Basic'. Apart from that, you'll need to create a custom authorizer that verifies that the provided credentials are correct. You can find more info here
You can configure an API Gateway to support Basic auth, and API Gateway supports integrations with any AWS service.
Setting up Basic auth in API Gateway requires a few steps. Check this post and search down to BobK#AWS response: https://forums.aws.amazon.com/thread.jspa?messageID=799091&tstart=0
Today I have a question about the HTTP Request action of install4j versions 6.1.X. When we do a request against a secured rest endpoint a dialog is displayed to collect the credentials of the user. That work fine for the Basic authentication mechanism. Now we have a scenario to challenge against a kerberos authentication mechanism like it is the standard for single-sign-on system architectures. Is this supported by the HTTP Request action?
No, there is no support for any other authentication mechanisms other than basic authentication.
We're trying to test out WSO2 API manager and having troubles adding some APIs. MailChimp was added easily because MC has not OAuth Credentials itself. But when trying to add Facebook or another API that has it's own API manager it doesn't work and constantly get a 401 Unauthorized. This is becaused both Facebook and WSO2 API Manager need OAuth tokens and obviously you can only send one Authorization header. Any help here?
WSO2 ApiManager 1.0 still does not support (OAuth) secured back-end services out of the box. Hence it is not possible to register facebook, twitter apis via APIM.
Right now, an application is sending and authorization header to the APIM with a key issued by the APIM. Ideally if you send another authorization header, that will be forwarded to facebook api, but at the API Gateway level you need to remove the processed header which belongs to the APIM authorization.
Adding backend services with security will be added as a new feature to APIM future releases.
Regards,
/Nuwan
Can you please explain why you want to use the API manager here? You can directly send your request to Facebook where the request is authorised.