I want to invoke REST API from SOA with Basic Authentication.
I did all configurations but it does not work.
How and where to set basic authentication username and password for the REST API?
You need to configure and attach this policy for the endpoint you are calling:
https://docs.oracle.com/middleware/1212/owsm/OWSMS/owsm-predefined-policies.htm#OWSMS5467
Also see:
http://www.ateam-oracle.com/working-with-owsm-policies-part-1-of-some/
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
If I deploy my service in (cloud run) as no-allow-unauthenticated, I can add a user with cloud run invoker role to secure the API. Then user can login to gcloud and set the token in the authorization header to access the service.
My question here is, can I send the Google authorization token via a different header instead of authorization?
The reason why I am using google token is to protect staging(development) env to only allow access to the dev team. My Spring Boot app doesn't need any protection under google platform as it has its own oAuth mechanism - authorization header is being used by spring boot.
Thanks
After a lot time spent, I decided to configure spring boots to deal with another Authorization header name. I left Authorization for GCP.
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
Is there a simple way to integrate Firebase Authentication with Spring Security (for a REST service)?
From what I've read, I'll probably need to use a JWT token (obtained via Firebase), use that to authenticate the Spring service, and finally verify the token within the service via Firebase. But I can't find any (simple) documentation on using JWT with Spring Security.
I'd also like to be able to provide an /auth/login endpoint that uses Basic Auth rather than JWT so that I can obtain a JWT token via Firebase using email/password credentials. But this would mean enabling Basic Auth at one endpoint in the service and JWT Auth at all others. Not sure that's possible.
Short answer: no.
Long answer: you should create your own JWT, regardless of Firebase. When you receive a JWT from Firebase, verify its integrity. Then, issue your own based on the data in the token. Then you only need to adapt it to various OAuth providers. This way you can avoid round trips to firebase on each request.
For authenticating the user on each request (stateless auth), you add a filter with highest precedence. From the http request you are filtering, get the JWT and verify its integrity. If it's all good, set the authentication in the SecurityContextHolder.
I am writing an android application for an University that uses Shibboleth for authenticating the students.
Since I am making a android native app (not a webview), I would like to programmatically pass the username and password and get back the user credentials of the user. Does Shibboleth have a restful api that I can use.
for ex. CAS has https://wiki.jasig.org/display/CASUM/RESTful+API which would allow me to programmatically send a username and password and get back the ticket credentials. Is there something similar for shibboleth?
Shibboleth does not provide a REST interface, but they do have a non-browser-oriented authentication profile called ECP.
https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
Shibboleth doesn't have any restful support. However you can still use JAAS + Java plugin + Rest client to do authentication by calling your Restful based authentication system. I had similar implementation