Where do i define valid set of username and passwords for authentication using RAML.
Here is the RAML code i use.
You don't: RAML is an API definition language, what you're talking about is the security configuration of your application.
Try this:
securitySchemes:
- basic:
type: Basic Authentication
https://github.com/mulesoft/api-console/blob/master/dist/examples/simple.raml
You ideally should not.
Try using other security schemes for authorizations and authentications.
Related
Pretty simple question, spend a lot of time searching around.
Spring Boot 1.4.x application, with Spring Security, tried to use Keycloak for user management / authentication / authorisation, all works fantastic!
How do I avoid redirecting to Keycloak login form?
How do I implement my own authentication worlflow based on username-password input?
I see that I can ask for access-token and refresh-token, but should I implement all that token magic myself or there is some famous library people use?
Any github or examples would help. Thanks!
You might have a look into the Ressource Owner Password Credentials grant. It boils down to set the "Direct Access Grants Enabled " for your Keycloak client and implement the login logic yourself.
But please, PLEASE make sure to read this first: https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications
You could also use some openid connect - libraries and get the data you need for the endpoints from the .well-known endpoint of your realm.
I want to invoke REST API from SOA with Basic Authentication.
I did all configurations but it does not work.
How and where to set basic authentication username and password for the REST API?
You need to configure and attach this policy for the endpoint you are calling:
https://docs.oracle.com/middleware/1212/owsm/OWSMS/owsm-predefined-policies.htm#OWSMS5467
Also see:
http://www.ateam-oracle.com/working-with-owsm-policies-part-1-of-some/
Assume we have authorization server + resource server, also a mobile app. All applications are developed by same company (e.g all google services + official mobile apps).
In my understanding, mobile app should use Oauth2 resource owner password credentials flow, Am I correct? This is an article supports my understanding. According to Oauth2 spec its seems like not the correct approach. So what would be the correct approach? Is it the authorization code grant flow? In that case how one should cope with redirection? (there are ways but what is the best way of not leaving the app?)
Also I need to use native login screen in mobile app where resource owner need to type username/password. Could that be done via authorization code flow? how?
If I am correct about resource owner credentials flow, how we can implement that in spring without client secret embedding in the app?
Below is the required way of getting token via resource owner password credentials in spring.
curl -X POST --user 'trusted-client:client-secret' -d 'grant_type=password&username=test&password=123' http://localhost:8080/oauth/token
Here we need to have client secret in the app (which is not secure), will this approach work? Assume later on we may have different client, how custom authentication provider distinguish those two? Any answer would be great. Thanks.
I have username and password for salesforce. I tried using REST API way, it requires clientid, client secret and redirecturl. Client is not willing to share them. Is there any alternate to get the data by just using Username and password?
You can use the username & password OAuth flow. Here is an example Java app that does that: https://github.com/jamesward/salesforce-rest-starter
Ask the client to create a public Rest Service as described here.
https://developer.salesforce.com/forums/?id=906F00000008s2KIAQ
This way it does not require any authentication and anyone can access the service.
I am trying to create the smsession without giving the password. Can I do that by just passing the user id and any other user information of the user but not password and create the smsession?
No. Siteminder uses full credentials to create the smsession.
Raj, You can do that by creating a custom authentication scheme in Java. In code you can always return for authentication so SiteMinder will create a session.
I'm not sure what your overall use case is but the IWA Authentication Scheme will let you do perform attribute based authentication. Using the SM SDK, CoreBlox [Note: I work for CoreBlox] has written a Token Service which exposes a RESTful API interface for SiteMinder that allows for this type of integration. You can find out more about it here -- https://www.coreblox.com/products/coreblox-token-service/