I set webhook (async call) service bus to call rest API with windows auth.
using admin account.
but request to API comes as anonymous, so it works only if I set Anonymous auth - enabled in API.
is there a bug?
Related
We have a scenario where we have different apps in the backend that needs to do some operation between them. Those apps are registered in the Okta console and have their own workflow. They both allow access to users that authenticate through an access token that they will get through a process the widget on the web. The two services needs to perform operations between them. For example, on one service we need information about products on another service. But it's not a "user" request, it's a service to service.
As far as my understanding goes, we still need to send a request as it would a normal user, so we need a bearer token to authenticate the request.
I cannot find in the docs a way to request an access token on the backend. I only found some libraries that can help providing a callback uri and multiple step process where you need to have a window to pop up to interact to insert your Okta login.
Is there any way to request an access token as an API call? In the backend services we won't have windows to pop up and authenticate?
We tried to use Okta-auth-js but seems to be more "front-end" oriented as most of the methods are "browser-only".
Yes, you need to create OIDC application of type "OAuth service", which will created "client credential" flow app for you. It supports calls to /token endpoint using client_id and client_secret available after the creation of the app in Okta. As a result of your call to /token directly from the backend, you will obtain an access token for machine-to-machine communication (no user context)
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
I want to implement an api gateway for a bunch of micro services running on laravel. In front of the gateway there is an angular client where the user has to login with the username and password. The idea is that the user sends the request with the credentials to the gateway which forwards it to the authentication service. If the data is correct, a token will be issued, which will be included in every further request.
I think I will implement the gateway with kong and the oauth2 plugin. I have already looked at their documentation https://docs.konghq.com/hub/kong-inc/oauth2/#resource-owner-password-credentials but I don't really understand the flow.
Does the angular client have to communicate directly with the authentication service on the first request? And if so, does the authentication service need an own url? I think it would make more sense if all the request would go through the gateway, wouldn't it?
Thank you!
From what I understood, your angular app can send username:password to kong gateway and that will proxy the request to your authentication service. You can verify if the user is legit in your auth service.
1) if legit, then make a request to /oauth2/token endpoint provided by kong's oauth2 plugin. Kong will return your auth service an access_token which you can return back to the user
2) If not legit then throw an error.
Does the angular client have to communicate directly with the authentication service on the first request?
Only if your auth service is a third party service you can do that.
I want to get an API token for a specific user using openshift rest api. I have a web application which can be used by any user in my organization. I want to be able to authenticate the user in my application using an internal oauth service, after authentication, i want to authorize the user to be able to call openshift rest apis.
I have found 2 APIs, /authorize and /token which get called up to generate api tokens which can be sent as Bearer 'Token' in the REST APIs headers. But not able to find a way to call them. I have been facing CORS errors calling these APIs using AJAX request.
https://openshift-master.bruxelles.sodigital.io/oauth/authorize?client_id=openshift-browser-client&response_type=code
This url is internal to my organisation which authenticates the employees if not authenticated, and then displays a token on the web page. I want to be able to get that token.
Currently I have an rails 3 application which uses devise plugin for website authentication. But now I'll be adding an iPhone app as well so I will be exposing the api calls to the client device (iPhone). How would I implement auth module so that iPhone client can authenticate to the rails site and access some api?
Should I be creating a oauth provider, token base auth or simple http auth works?
In this situation, HTTP Basic authentication would work fine. If you'd like it to be more secure, you could create an OAuth provider and create your own implementation of Twitter xAuth to make it more user friendly. Essentially, you'd create an API call that would accept a username and password and then return an OAuth request token for that user. You'd store that request token on the iPhone and use it to authenticate subsequent requests.