How to request LtpaToken2 from an application hosted on WebSphere - websphere

Can anyone please let me know if it is possible to request a LtpaToken2 from an application hosted on WebSphere?
I have a vb.net client application which is using a REST API hosted on WebSphere. I initially connect to the API with the user name and password using basic authentication. Using the same basic authentication is it possible to request a LtpaToken2 from WebSphere so that I can use it for subsequent requests.

Once you do the authentication using an HTTP Request, you will get the cookies (along with LTPA token) in the response. This is true with a web browser, or with any client application.
The response cookies can be stored on the client side, and send it in the subsequent requests (as part of request headers) to WAS.
While designing this, it will be better you have a common gateway in your Client App through which all the calls to WAS goes.

Related

Can any body answer my question about Oauth2?

I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.

How to call a protected resource on behalf of a specific user using OAuth2 and JWT token in Spring?

So we have an authentication server where the UI application gets the access token and then it communicate with API server, it's all good. Now we are building a third application which needs SSO to authenticate the same user and that is fine too.
However, there are scenarios where this third application needs to use some resources on the API server which, from my understanding, we need to get a token from auth server using client-id/secret and then send the request with the access token. This seems ok too, however I am not sure how API server is going to authorise that token (a hint on this would be great).
But the main problem is we want this request to be sent on behalf of the user. This is because API server needs to audit all user's activities. How can we achieve this using Spring Boot/OAuth2 and JWT Token?
I went through documentation and I know about #EnableOauth2Sso #EnableAuthorisationServer etc. but this scenario is not clear and I'm not even sure it's been implemented in Spring or not.
If there is no implementation for this scenario, what do you recommend? Any experience you have had on this, can you please share?
Your API server plays the role of a Resource Server. There is an annotation designed for that purpose: #EnableResourceServer. Your client app then will consume this resource using the handy OAuth2RestTemplate.
There are two approaches to properly configure the Resource Server and get this working:
Have the public key directly in your resource server app: this way when the client app try to use a token provided by the authorization server to get a resource from the Resource Server, this will verify if the token is valid by itself.
Configure the resource server to ask the authorization server if a given access token is valid and depending of the response it will allow or decline to get the resource.
I have posted a sample app on github using the first approach. There you can see the interaction between the Authorization Server, the Client and the Resource Server, as well as all the configurations you need for this implementation. Hope it helps you.

Authenticate MVC clients with Web API Tokens

Currently I have created a WebAPI Project using identity framework and I have setup tokens to be returned when authenticating with the API.
So now I am looking at creating a standalone MVC application that will allow the user to make calls to the WebAPI to get back end data.
The goal is to separate functionality so that other applications can also start interacting with back end data through web calls.
So the confusion now is how do I setup my MVC project so that I can use the Authorize attributes on controllers with the token received from the WebAPI. I think I need to enable bearer tokens in the ConfigureAuth method in Startup.Auth.cs. However will that be sufficient enough? Or do I also need to enable the cookie authentication?
MVC and Web Api are fundamentally different when it comes to authentication. With Web Api, the bearer token has to be set in the header of the request, but this is not an issue as all API requests are done programmatically by the client, i.e. there's human-intervention involved in setting up the client to authenticate the request properly.
MVC is a different beast in that the actions are accessed generally via a web browser, which will not automatically affix a bearer token to the request header. What it will do is pass cookies set by the server back to the server. That's why cookie auth is used most typically for MVC web applications.
What you should do is enable cookie auth for the MVC site and then set up your sign in action to authenticate via the Web Api. When you get back a valid auth from the Web Api, then you can manually sign in the user via the Identity API:
await SignInManager.SignInAsync(user);

How to send a CSRF token at first request for authentication

I have an operational webapp based on JHipster. It is already token based authentification with, in addition, CSRF hack protection.
I wrote a rest (remote) client in pure java.
So it is not an API like angular which send the token.
I need to send it when attempt to authenticate against webapp (hosted at a remote web server).
I don't find any example on how to send it.
When I authentificate against "JHisper" web app (through spring security), I got a MissingCsrfTokenException.
How to do ? thanks

Injecting a webseal HTTP Header in Spring applications manually (JBOSS)

I am running spring applications in a JBOSS server inside a test machine. My application does some calls, for example it requires to access a webseal server which is not available in this machine, so I need to simulate its response by injecting the corresponding webseal http headers. I don't know where to start nor if you need more information to propose a solution.
Depend if your app wanna be a Client for webseal, or wanna be a Backend app for webseal. If your app is a client, only recibe a Cookie with your Session ID. If your app is a Backend for web-seal(you are behind of a junction) you need recibe HTTP Headers "iv-user" and "iv-creds", this example help you to understand iv-creds:
JSP Example - get Header Credentials Webseals

Resources