How to Validate Auth Token from Request Header - spring

I have 2 servers. 1st is SAP Hybris. 2nd is Middleware server.
Middleware Server will receive API call from Hybris and then it will execute and process the request.
Now I want to make this API Call secure with OAuth 2.0 such that any server having valid token can only call middleware server through API.
I have created user in "OAuth Client" in Hybris.When any request come with access token,I need to validate whether the token is valid or not.
Can anyone guide me in configuring this OAuth mechanisam in Middleware (Spring Boot)?
Note: The OAuth token is generated by Hybris.

You need to create client tokens from middleware, not hybris. If you will call hybris API, your middleware need hybris OAuth client tokens.

Related

Bearer Token for REST API in SpringBoot without Authentication

I have a simple REST API which is a GET service and doesn't require any user login to consume, but I want to protect it using Bearer Token, when I research on this in internet it's been showed that I need to implement bearer token only after user logs in and authenticated. Is there a way in springboot where I can generate a token for my API and give it to client and client calls my API with that and the program validates the same and provides response?
You have the OAuth2TokenGenerator available in Spring Authorization Server.

Can AWS LAMBDA Web API authenticate by middleware if you send jwt token in the header

I have a .net core 3.1 web api authenticated by jwt in the middle ware pipline.Works fine. I converted the web api to a lambda web api by adding a aws Lambda entry class and published into aws with an API Gateway in front
All the endpoints without Authorization attribute worked fine.
All the endpoints with Authorization attribute gets 401.
All request has a jwt Authorization Bearer token header
One endpoint without Authorization attribute reponses with all the headers converted to a string.From that i can see the request's jwt is getting thru to the endpoint.
1.Why isnt the endpoint giving me 401 even tho there is a token?
2.Does AWS lambda or the API getway not pass the header direstly?
3.Do I need to configure the api geteway to send the header to the lamdbda endpoint?
4.Can Lambda authenticate by pipline like a normal web api?
Another solution was to use authorization Lambda with the API GETWAY.
If I use authorization Lambda does that mean my end point wont need the authorization attriibutes any more because it done in the getway?
JWT is generated and authenticated by Firebase.
It works I finally figured the reason. Its so awesome you can have Web api as a Lambda in aws. I can now spend less money in AWS.

How can I use Laravel Sanctum in a distributed system?

I need to use Laravel Sanctum in a distributed system, for this case, I have 3 participants:
The user
The API server
The authentication server
The authentication server is only for generate and validate tokens, the API must make the authentication by calling to the authentication server and sending the token in the authorization header of the request. This token it's sent by the user when calling the API (the user had to make a request for a token to the authentication server before)
I want to use Laravel 8 in the API server and also, I want to use Laravel 8 in the authentication server, I know that I can use Laravel Sanctum to handle the API authentication, but it has to be in the same server that the API is in, the middleware auth:sanctum works by searching the token in the same database that the API is in, but now I need that the middleware search the token in the authentication server who has another Laravel with another database, how can I do that? Do I need to do it manually?

Using Kong API Gateway key-auth plugin with keycloak protected rest apis

My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.

How do I implement oauth2 with kong api gateway?

I want to implement an api gateway for a bunch of micro services running on laravel. In front of the gateway there is an angular client where the user has to login with the username and password. The idea is that the user sends the request with the credentials to the gateway which forwards it to the authentication service. If the data is correct, a token will be issued, which will be included in every further request.
I think I will implement the gateway with kong and the oauth2 plugin. I have already looked at their documentation https://docs.konghq.com/hub/kong-inc/oauth2/#resource-owner-password-credentials but I don't really understand the flow.
Does the angular client have to communicate directly with the authentication service on the first request? And if so, does the authentication service need an own url? I think it would make more sense if all the request would go through the gateway, wouldn't it?
Thank you!
From what I understood, your angular app can send username:password to kong gateway and that will proxy the request to your authentication service. You can verify if the user is legit in your auth service.
1) if legit, then make a request to /oauth2/token endpoint provided by kong's oauth2 plugin. Kong will return your auth service an access_token which you can return back to the user
2) If not legit then throw an error.
Does the angular client have to communicate directly with the authentication service on the first request?
Only if your auth service is a third party service you can do that.

Resources