Groups and Roles in cloudfoundry UAA - cloudfoundry-uaa

In our system we are currently using UAA for user authentication. There is also a need to put in place access control for resources. A resource is defined as a runtime entity created by user. The access to the resource is dependent on which group he belongs too. In order to achieve that I want to create custom groups and roles in UAA and attach privileges to the groups and roles. Is there provision to add custom groups and roles in UAA? If not how can it be done?

You can always add custom groups with Rest APIs or commands.
Here is the command line example.
-Get the token for an admin client
uaac token client get admin -s adminsecret
-Create the group
uaac group add custom.group
-Add a user to the group
uaac member add custom.group user1
The user1 token will start showing the custom.group in its scope list.
You must of course also need to add the custom.group entry in the scope of the client you are requesting token with. If the client does not have it in its scope list, the user1 token returned will also not show the custom.group in its scope.

Related

Keycloak role mapping

I have a spring boot application secured with keycloak. Each user in realm has roles for my resource (client). Roles are configuraed on users tab, for particular user under Role Mapping tab as Client Roles:
I also use integration with LDAP Active Directory, from which all the users came from. Now, if I want to add specific role for Active Directory (AD) group, I have to go to active directory, get all users for particular group and add desierd role via keycloak api in separeate application, which is extremly bad logic.
In previous version of keycloak (5.0.1) it had Script Mapper on javascript that could get Active Directory groups and map them into roles for a particular client. In the latest version 8.0.1 it has no such mapper.
I wonder, is there any mapper or other ability in latest version of Keycloak to map AD groups to resource roles. So, I could say that group_name has role user for client_name and role user appeared in keycloak token under resource_access.client_name.roles list
You can achieve what you want by following these steps:
Go to "Groups" on the left menu
Select the group
Using the "Role Mappings" tab, choose which client role should be assigned to members of that group.

AWS Cognito authenticate different lambda functions

I've currently implemented a cognito user pool for my app and used it on the api-gateway to secure my functions. Its all working well, but here's my problem. I have 2 lambda functions: CreateEmployee and DeleteEmployee. How can I set that only specific users has access to the DeleteEmployee function?
Add custom authorizer and in api getway add in authorizer.
Inside custom authorizer lambda add ur logic to allow denied access as per your requirements .
You can use user groups to assign different roles to different group of users. Create two roles one with delete access and one without. Now add users to groups as you require.
You can find the details of group based role access here: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

Okta not returning custom claims in tokens

I just signed up for a dev test account with Okta to test OIDC using Okta's auth service and user management.
Using their management portal, I created a second group called Test Group along with the default group of Everyone and added my single user to both groups.
I then added an application called My SPA and assigned the Test Group access to this application.
Using the classic UI, I then edited the OpenID Connect ID Token section and set Group claims type to Expression and added groups as the claim name and getFilteredGroups(app.profile.groupwhitelist, "group.name", 40) as the expression.
I then went and edited the authorization server. I added a claim called 'groups' with a RegEx of *. to be used with any scope, access tokens and always include.
I then use the Token Preview selecting my user and using implicit grant flow but no groups show up.
How do you get a user's groups to show up as claims in the ID or Access Token from an Okta auth server?
Edit
Screen shots of what I have:
I’ve only ever used the Developer Console to configure things. Here’s how I did it:
Navigate to API > Authorization Servers, click the Authorization Servers tab and edit the default one. Click the Claims tab and Add Claim. Name it "groups" or "roles", and include it in the ID Token. Set the value type to "Groups" and set the filter to be a Regex of .*.
You need to add the "groups" scope. In the scope, add "groups" in addition to profile and openid
I think the Groups here are created in order to park users in respective buckets (e.g. Admins / Users etc) so that by knowing the Group of User, the role can be derived for Authorizations.
However, I will recommend to use Okta's Custom Attribute in Users' Profile so that the User Info can have required attribute.
The Custom Attribute can be set as Dropdown styled Enumeration to choose from and can also be marked as Mandatory while adding User in system.
https://support.okta.com/help/s/article/How-to-create-dropdown-enumerated-custom-attributes-in-Okta?language=en_US
Adding Custom Attribute - https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-add-custom-user-attributes.htm
And Mapping Attributes to Okta Profile -
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-attribute-mappings.htm
Hope this also helps.

How to use Cognito to Control API Access

We are building a number of microservices using API Gateway+lambda+DynamoDB. We need to secure these APIs using Cognito which we are using for user management. We will have a user pool and two groups with a different IAM role attached to each group. The need is users in one group should not be able to access all services and so the users in other group.
Any suggestions, how we can implement this?
The issue is ID token generated by Cognito is not validated by API gateway to check what level of access user has. All it checks is if Cognito ID token is valid or not.
You can use API Gateway custom authorizers to validate policies attached to each group.
From AWS Documentation:
You can use groups in a user pool to control permission with Amazon API Gateway. The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in. You can submit those ID tokens with requests to Amazon API Gateway, use a custom authorizer Lambda function to verify the token, and then inspect which groups a user belongs to.
Additional references to implement:
https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/
https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/

How do I create a user in AD and Okta?

How do I automatically create a user in Active Directory, at the same time as creating the user in Okta. Is there an API/SDK to do this ?
You can use the Create User call to create a User in Okta. Additionally, you can add this user to a group.
Upon membership in this specific group which should be configured with AD as the provisioning target, the group members are provisioned in AD (or any other application as per configuration).

Resources