Wanted to make rest calls, i found there are two ways of authentication.
Method 1. Upload a self-signed ssl certificate and authenticate through certificate and subscription id.
Method 2. Use access token (Bearer ey...) which is obtained from making oauth2 call.
Which method is best way to do?
You should go with Method 2 for many reasons:
Method 1 is the old way and will only work with authenticating Service Management API requests where as Method 2 is the new way and will work with authenticating both Service Management API and Azure Resource Manager API requests.
Azure is moving away from Service Management API and is moving towards Resource Manager API which only supports Method 2. In fact, wherever possible use Resource Manager API instead of Service Management API. Only use Service Management API when there's no Resource Manager API equivalent.
Related
I’m trying to setup authentication & authorization for my Express based Node JS, REST API with azure AD. I’m not sure if that is possible without 3rd party libraries like Auth0.
API will be invoked from both client side (react, angular) & server side(asp.net, RPA) applications. I’d appreciate if you can share some tips on the architecture, examples and where authentication and authorization can be done. I think authentication will happen in the front-end(????).
End of the day I need these apis to be invoked only by authorized applications, users and I should be able to identify user’s invoking these apis.
you can get your NodeJS apis protected with Azure AD. To achieve this, you can either use MSAL-Node or Passport-Azure-AD libraries. Once these APIs get protected by AAD, any front-end apps or back-end services calling your AAD protected APIs must fetch an access-token from AAD first and then use that access-token as bearer and call the AAD-protected APIs.
To get you started, you can refer to the following quickstart guides for both the libraries:
Quickstart guide for MSAL-Node: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-webapp-msal
Quickstart guide for Passport-Azure-AD: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-nodejs-webapp
We are using Apigee as our Authorization Server (AS) and we have a few Spring Restful services deployed in IBM Bluemix public cloud which acts as our Resource server (RS).
Each of the services has an equivalent proxy service configured in Apigee. For the proxy services, we have configured the VerifyOAuthTokens policy to verify the token passed by the user and return an error if invalid token is passed
The problem is, since our RS is in the public cloud (no plans or need of moving to a dedicated or private cloud) the api endpoints are open and can be invoked by anyone who knows the url.Though the expectation is everyone should call the apis via APIGEE proxies but we cannot force that since we are in public cloud and there are no options of opening ports coming from apigee or something. We would like to take the following approach to secure the api endpoints.
Accept the Authorization header for each call
Take the token and call a validate token service in Apigee
For 2, We are not able to find an APIGEE api which can validate an access token similar to say googles
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
or Github's
GET /applications/:client_id/tokens/:access_token
Is there actually an external APIGEE service to validate a token?
If not, what would be the best way to make sure that only valid users with valid tokens can access the apis?
Thanks,
Tatha
Did you look at this post in the Apigee Community: Using third-party OAuth tokens
We did something similar to this but not using oauth tokens. We used Apigee to do a callout to a third party IDP (identity provider). The 3rd party IDP wasn't able to generate tokens but exposed a web service to authenticate the user. If the user was authenticated successfully (based on interpreting the result received back from the target endpoint webservice), then you tell Apigee that it was successful by setting the external authorization status to true (step #2 in the link).
NOTE: this has to be done inside an Assign Message Policy step PRIOR to the GenerateAccess token operation. Apigee interprets this as a successful authorization and then can generate a valid oauth token that the caller can then send along to access the protected API.
I want to write a Java program running externally to Bluemix that interacts with the instance of the Bluemix Object Store I have provisioned.
The program will use the Swift REST APIs to interact with the service.
The documentation for how to use the REST API is mainly missing in the service documentation and the OpenStack documentation is not helpful with specifics on how to reach the Bluemix service.
Can someone tell me what headers to set and what URL to use to authenticate with the service, and then what headers to set and what URL to use to further interact with the service ? Where do I find this information for my instance of the service ? It doesn't seem to all be available in the service credentials that are displayed.
Also, do I need to do basic authentication every time a REST call is made, or is there a way to get a token ? Where is that explained ?
The Bluemix Object Storage uses the OpenStack Identity (Keystone) v3 API for authentication. For complete documentation on the REST API, see: http://developer.openstack.org/api-ref-identity-v3.html
Since your application will be developed in Java, I'd suggest you use the openstack4j SDK. For example of using openstack4j with Bluemix object storage service, see: https://developer.ibm.com/recipes/tutorials/connecting-to-ibm-object-storage-for-bluemix-with-java/
We are migrating our Google Apps Marketplace Apps to OAuth2 authentication.
We have figured out some of difference in migration process such as replace OAuth1 two-legged authentication with Service Account OAuth2 strategy to impersonate domain and perform some background task.
In our current OAuth1 apps we have some queries to customerLicense service to check if some domain removed our App from Marketplace.
I have seen this is not possible to do with OAuth2 by the moment. Is there any Service with Service Account OAuth2 that replace this mechanism to check customerLicense for a specific Application?
Since I am using only service account keys I have not found documentation about how to consume this API with these type of credentials. In fact documentation says only Oaurh two legged keys are able to consume this API.
Can you send me some link where I can read about consuming this API with service account Keys?
Best,
You should be able to use the same API with OAuth2. If there are any issues please let us know.
According to the documentation it only seems possible to authenticate against the windows azure service management API by attaching a certificate to each request which I previously have uploaded to the management portal.
The new management API has been built using the service management API, but it uses windows live authentication. Is it possible to use windows live to get the windows azure subscription ID and the certificate, so I can use the same authentication mechanism the management portal uses?
What makes you think that the Service Management API uses Live ID for authentication? It is just the portal that uses Live ID for authentication.
If you dig a bit you will notice that all the service requests from the management portal are made against https://manage.windowsazure.com/Service while The Base URI for management service is: https://management.core.windows.net
So, No, you can't authenticate against the Management API with Live ID. Moreover, it is the Management API is not new. The portal is New. The management API has been there for a while and is updated from time to time to reflect new services that are coming.
UPDATE AFTER THE 2 COMMENTS
Following Gaurav's explanation I will just add a simple architecture diagram (super simplified and totally my thought, but this is how would I build it in very minimalistic way):
[User's browser (portal)] ==> Sends XmlHttpRequest (AJAX) to ==> [Portal Service]
then
[Portal service backend] ==> signs request with predefined certificate and sends request to ==> [management.core.windows.net/subscription-id/whatever/service/command]
This actually is a very common practice to provide UI to a (web) service.
This way both conditions are implemented:
You use Live ID to authenticate with the portal
The Windows Azure Service Management API are yet, still and only protected by a Certificate.