Here is the scenario, I've an instance of Oracle Identity Manager (OIM). The instance stores all of my user profiles. Now, I'm writing few REST APIs, which should be authenticated using users present on OIM.
I'm also thinking of using AWS cognito to provide authentication flow. So, my questions are
Q. How can we connect Cognito & OIM?
Q. If no need of Cognito for this scenario, then how can we make use of OIM?
I've recently strated looking into both the tools. So, please spare me for some obvious questions.
I'm from the Cognito team, and Bruce0's suggestion is spot on. If you need to access AWS resources, you would set up a developer authenticated identity provider which could leverage this (or any other identity manager/provider).
Related
I am new to aws and having trouble with cognito login.
Cognito one user pool with many other applications will use the same login function like in lambda.
google or fb able to login with the same user pool.
If the user is not right to access the application, then login process will be failed.
One user will have right to access many applications.
Anyone who can help and please advise me how can i implement this solution?
And login function call from lambda is available for social login too?
I think that the best way to go is create a serverless lambda with all the identity workflows and there handle the multiple applications client. This can be done using the Developer credentials of Cognito. I already use this solution in many projects and have many benefits.
We are currently deploying to AppSync using the serverless-appsync plugin and the serverless-framework (naturally).
Our API is 100% public and unauthenticated. All queries and mutations are basically public, since we have at this point no need for users (via a Cognito pool for example).
We have added a first layer of security using api keys but this is undoubtedly not much, as the api key is included as-is in the frontend sources. We would like to add extra roadblocks to make it harder for malicious users to abuse that frontend API.
A few things come to mind:
rate limiting (not currently supported by AppSync but I've read it's apparently in the works). I do not want to do this using a custom made solution in a Lambda for example.
making sure only traffic from the website is allowed to use our API, in addition to our own devs... I could probably do this with pipeline resolvers but I am not too keen with doing that in that obscure and unwieldy VTL language.
cors, ...
I'm considering switching to Apollo Server since this solution seems more open and configurable...
I would recommend using AppSync's IAM auth option and then use Amazon Cognito Identity Pools to vend temporary AWS credentials to your client applications. Identity pools (as opposed to user pools) vend temporary AWS credentials that assume the access of a role of your choosing. When configuring the identity pool, you can define a role with full access to the AppSync API or you may selectively provide access. From the client applications, you use the temporary credentials to sign the requests to AppSync using SigV4 and AppSync will only allow requests with a valid signature to be executed. The temporary credentials also provide an extra layer of security as even if they are compromised, each credential will only provide access up to the max allowed time.
I'll also add that you can use multiple auth modes at once with an AppSync API. This allows you to protect all fields as mentioned above and then selectively mark specific other fields such that they are authorized via some other mechanism like user pools or OIDC.
Following is the documentation for AWS switch role -
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html
What is the equivalent of this available for Alibaba Cloud ?
The goal is to use something similar in Alibaba cloud so that the credentials obtained from the assumed role can be used to create / access resources in another account based on the permissions given to that role.
The AssumeRole functionality is available in Alibaba Cloud, Details can be accessed on AssumeRole
It could have solutions for cross account access. usually in two scenes
personal account, you could just create one RAM role for him. it could be faster.
company account, you could add different company account in your enterprises. they will be one of the member , then it is ok for cross access.
Getting a bit lost in the diverse documentation endpoints (here, here, to name a few…)
This one is pretty usable for a given account by providing a json key as an environment variable.
The thing is, I just don't see how commands can be run on the behalf of a user authenticated via oauth — practically speaking, where do you specify the oauth user token ?
Thanks for sharing this insight
Best
google-cloud-ruby (which you linked in your question) is designed to provide access via service account credentials, as you noted. For help with "lower-level" access in which you managing your own OAuth tokens, you might consider google-auth-library-ruby. However, if you can use a service account instead of a user account to use the higher-level access provided by google-cloud-ruby, I believe it's probably the best approach, as recommended in Google Cloud Storage Authentication:
Due to the complexity of managing and refreshing access tokens and the security risk when dealing directly with cryptographic applications, we strongly encourage you to use a verified client library.
We are trying to migrate a legacy intranet ASP .NET web app from "Forms" based authentication into a "Windows" based one so that the user doesn't have to enter the credentials again after logging into the PC, we just want to read the current logged-in identity and use that for authenticating and authorizing the user in the application.
Doing windows authentication in ASP .NET is pretty straight forward, what i wanted to check though was how the user's and their groups should be managed within AD or ADAM.
The same user can have rights on multiple environments of the same application like Dev, UAT, LT, Prod etc. so the same domain account needs to be authenticated in multiple environments (different URL). Also, once authenticated into an environment the user might belong to multiple roles which decide what actions are available for the user to perform.
I was looking for some recommendations here in terms of how we set this structure up in AD, we are thinking of creating groups in AD for the different environments like App_Dev, App_UAT, App_Prod etc. and have nested groups within each of them for the different roles in the application like App_Dev\Role1, App_Dev\Role2, App_UAT\Role1 etc. for each of the environments and add the users inside it.
What do you guys think?
You have to rememeber that Authentication and Authorization are two different things. You have combined them in your logic.
For example, your authentication mechanism is AD. So yes, use AD for authentication of credentials and group membership to ensure they can authenticate with a specific instance.
However, you can still use the classic RolesProvider and use a SQL backend to store roles and user to roles assignments per instance within the database. This is easy and uses the built-in feature of ASP.NET without having to go overboard with creating groups in AD. You can do various searches on the web about ASP.NET AD Authentication and SQL Roles Provider. I think ScottGu even has an old article about how to do it.
Lastly, what you have described here is not SSO or Single Sign-On, I'll update your question to reflect this. SSO refers to creating a token that is trusted and shared amongst many applications. It doesn't seem like you need that with the example provided, but if you do, you would be investigating ADFS and the Windows Identity Foundation (WIF). Just because you use AD does NOT mean you have SSO, it simply means you have a single Authentication Provider, but you still don't have a token based system that actually only requires an initial Authentication and Authorization request to a central authentication service, usually ADFS.