I'm trying to get Strapi running behind a Keycloak Gatekeeper. My problem now is that the Admin UI is broken, because it uses the Authorization header to include a custom JWT. Keycloak Gatekeeper also uses the Authorization header with its own JWT. Is there any way to either a) disable authentication in Strapi so that it doesn't send the Authorization header or b) make strapi use another header for its JWT?
Thanks!
Similar example that was never merged take a look here
Related
If I deploy my service in (cloud run) as no-allow-unauthenticated, I can add a user with cloud run invoker role to secure the API. Then user can login to gcloud and set the token in the authorization header to access the service.
My question here is, can I send the Google authorization token via a different header instead of authorization?
The reason why I am using google token is to protect staging(development) env to only allow access to the dev team. My Spring Boot app doesn't need any protection under google platform as it has its own oAuth mechanism - authorization header is being used by spring boot.
Thanks
After a lot time spent, I decided to configure spring boots to deal with another Authorization header name. I left Authorization for GCP.
Is there way to remove cookie based feature from laravel sanctum and only use Authorization Bearer token way.
As, by default it sets and check through cookie and this feature don't work when API is deployed with different server then front-end.
Yes, it is possible.
\Laravel\Sanctum\Guard goes through config sanctum.guard, default value is web, so you can set this config in your config/sanctum.php file to whatever suits your need.
Eventually, you can change your web middleware group, if your SPA is the only GUI client.
If any of mentioned options is viable or smart is another question, to which I'd reply: "nope, configure your app properly to send and accept security headers and/or cookies with cors settings fitting your needs."
I have separate backend and frontend. However, they run on the same server (this may change in the future). The backend serves as an api and is powered by Laravel. Frontend by Nuxt (Vue).
I wish only my Nuxt application could access the api. How can I configure Laravel to only return data if the request comes from a Nuxt application?
I thought about adding a special token to requests, but the user will be able to check what request is coming out and capture the token. Can anyone give me ideas how this can be solved?
You must be knowing about CORS. So in your Laravel Server, allow requests from only the frontend server's domain like this:
Access-Control-Allow-Origin: https://www.example.com
Simplest solution would be to add serverMiddleware in the nuxt project and route all the requests to the "real" api through it. Clients will hit the internal nuxt api and they will not be able to see the actual request made to the real api. There you can also add the token you are talking about for extra layer of security.
I have a website which is based on a Laravel backend api and a Nuxt.js frontend app.
The laravel app is served at api.website.com. Till now the api was open, meaning everyone can make a get request. There are almost no post requests.
I know need to implement a login mechanism for the users (Usual login+register and facebook login).
My question is about how would I go to make this process secure. Do I need Laravel Passport (or other similar mechanism)?
My thought is that, say I have an endpoint api.website.com/register (POST), I do not want anyone to be able to just make a post request and create an account. I need to have some sort of security like a csrf token. I know I can use CORS but that doesn't really provide much of security in this case.
You can use jwt like this or laravel passport.
I am working through a process of validating the JWT after OKTA Login. I have a SPA Sample SPA Site that handles user login and calling an API.
SPA SITE
User Logins into OKTA
Obtains a JWT
Passes JWT to a .NET Web API (hosted on my own server not at OKTA).
WEB API: This accepts the JWT and needs to validate it.
Per OKTA I need verify the JWT through an Authorization Server. I setup the Authorization Server but I cannot see where the two features (shown on the images) are located on the SPA API or the Auth Server. This includes a URL that is required that follows the format of xxxx.okta.com/AS/{key}
Is there something that has to be enabled that is not enabled in my OKTA Account? I think so but what is it? OKTA support states that everything is enabled and confirmed this is a good code sample (GitHub) to use.
The Image Below should appear after setting up the SPA App. I cannot find this feature under the SPA or under the Auth Server. It does not seem to exist anywhere on OKTA. This is why it seems something is not enabled on my Dev account, or this documentation is outdated?
SPA Code Sample (includes the images below from the PDF) https://github.com/oktadeveloper/okta-oauth-spa-authjs-osw
I see that under the Security menu item -> API.
Also, when I had my app OpenID Connect enabled, I used well-known endpoint:
GET /.well-known/openid-configuration to get "jwks_uri", I used this url to self-verify the JWT token at the API level.
OKTA confirmed the code sample and documentation is out of date. They have no ETA to any updated samples and could not provide any documentation to help. This was via a response on a support ticket. Well already then, time to look at Azure.