I have a .net core 3.1 web api authenticated by jwt in the middle ware pipline.Works fine. I converted the web api to a lambda web api by adding a aws Lambda entry class and published into aws with an API Gateway in front
All the endpoints without Authorization attribute worked fine.
All the endpoints with Authorization attribute gets 401.
All request has a jwt Authorization Bearer token header
One endpoint without Authorization attribute reponses with all the headers converted to a string.From that i can see the request's jwt is getting thru to the endpoint.
1.Why isnt the endpoint giving me 401 even tho there is a token?
2.Does AWS lambda or the API getway not pass the header direstly?
3.Do I need to configure the api geteway to send the header to the lamdbda endpoint?
4.Can Lambda authenticate by pipline like a normal web api?
Another solution was to use authorization Lambda with the API GETWAY.
If I use authorization Lambda does that mean my end point wont need the authorization attriibutes any more because it done in the getway?
JWT is generated and authenticated by Firebase.
It works I finally figured the reason. Its so awesome you can have Web api as a Lambda in aws. I can now spend less money in AWS.
Related
I have a simple REST API which is a GET service and doesn't require any user login to consume, but I want to protect it using Bearer Token, when I research on this in internet it's been showed that I need to implement bearer token only after user logs in and authenticated. Is there a way in springboot where I can generate a token for my API and give it to client and client calls my API with that and the program validates the same and provides response?
You have the OAuth2TokenGenerator available in Spring Authorization Server.
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
I want to implement an api gateway for a bunch of micro services running on laravel. In front of the gateway there is an angular client where the user has to login with the username and password. The idea is that the user sends the request with the credentials to the gateway which forwards it to the authentication service. If the data is correct, a token will be issued, which will be included in every further request.
I think I will implement the gateway with kong and the oauth2 plugin. I have already looked at their documentation https://docs.konghq.com/hub/kong-inc/oauth2/#resource-owner-password-credentials but I don't really understand the flow.
Does the angular client have to communicate directly with the authentication service on the first request? And if so, does the authentication service need an own url? I think it would make more sense if all the request would go through the gateway, wouldn't it?
Thank you!
From what I understood, your angular app can send username:password to kong gateway and that will proxy the request to your authentication service. You can verify if the user is legit in your auth service.
1) if legit, then make a request to /oauth2/token endpoint provided by kong's oauth2 plugin. Kong will return your auth service an access_token which you can return back to the user
2) If not legit then throw an error.
Does the angular client have to communicate directly with the authentication service on the first request?
Only if your auth service is a third party service you can do that.
I have 2 servers. 1st is SAP Hybris. 2nd is Middleware server.
Middleware Server will receive API call from Hybris and then it will execute and process the request.
Now I want to make this API Call secure with OAuth 2.0 such that any server having valid token can only call middleware server through API.
I have created user in "OAuth Client" in Hybris.When any request come with access token,I need to validate whether the token is valid or not.
Can anyone guide me in configuring this OAuth mechanisam in Middleware (Spring Boot)?
Note: The OAuth token is generated by Hybris.
You need to create client tokens from middleware, not hybris. If you will call hybris API, your middleware need hybris OAuth client tokens.
I want to get an API token for a specific user using openshift rest api. I have a web application which can be used by any user in my organization. I want to be able to authenticate the user in my application using an internal oauth service, after authentication, i want to authorize the user to be able to call openshift rest apis.
I have found 2 APIs, /authorize and /token which get called up to generate api tokens which can be sent as Bearer 'Token' in the REST APIs headers. But not able to find a way to call them. I have been facing CORS errors calling these APIs using AJAX request.
https://openshift-master.bruxelles.sodigital.io/oauth/authorize?client_id=openshift-browser-client&response_type=code
This url is internal to my organisation which authenticates the employees if not authenticated, and then displays a token on the web page. I want to be able to get that token.