We have a requirement to integrate our spring mvc web application with ping federate authorization server. Ping federate server is in secured intranet domain which spring mvc web application can't access.
We are looking into get JWKS public keys from ping fed offline and store in spring web application for validating identity token received from ping fed.
We would like to understand below:
Best way to make JWKS public keys from ping federate authorization server available to spring web app (not sure if ping fed can post these public keys to an API opened on spring web app)
Is there any set default timeline that ping fed rotates the keys if it does rotate?
Related
I am working on a stateless ServiceFabric application that listens to some events and performs some business logic. I am looking at extending this application to expose web apis. But I am struggling to figure out how to authentication these web apis.
In the scenario, the caller of the web apis is an AAD application which runs as a background/daemon service without any user footprint. I want to pre-authorize this background application to call the web apis exposed by ServiceFabric application.
Can I get some sample code / documentation that describes such scenario. Planning to use OWIN to setup authentication and use JWT token, but all documentation talks about user token scenario.
I have a problem with use custom domain on SignalR Azure Service with my ASP.NET WebForms app containing SignalR hub.
I configured custom domain at SignalR Azure Service as in the picture
Azure SingalR Service custom domain configuration
When i use connection string like this:
"Endpoint=https://example_endpoint;AccessKey=example_accesskey;Version=1.0;"
everything works perfectly and I get WebSocket transport.
But when i trying to use custom domain in connecton string like this:
"Endpoint=https://example_endpoint;AccessKey=example_accesskey;ClientEndpoint=custom_domaint_endpoint;Version=1.0;"
I get "HTTP Authentication failed; no valid credentials available" error and my transport is switching go SSE.
Console SignalR client logs
What should I do on server or client side to have SignalR communication with custom domain and WebSockets transport?
I've some web application which authenticates on Keycloak and call EJBs. The security in Wildfly is configured with Elytron and the security context is propagated correctly between web and EJB.
Now I've to write a java client (desktop application) which have to call the same EJBs on the server using Wildfly http+remoting.
I suppose I need to configure SASL authentication against Keycloak on Wildfly, probably using oauth bearer token obtained by java client logging in with Keycloak.
I can't find any information about how to configure SASL with Keycloak on Wildfly. Does someone have some hit about that?
AD FS supports OpenID Connect protocol for authenticating users. AD FS supports access policies for WebAPI applications, but not for server applications, at least not that I could find.
Is it possible to define access policy for a server application? The business scenario is really simple: only allow users from a defined group to authenticate given a specific client id.
If an enterprise deploys AD FS with AD DS and deploys several applications (each one registered separately, thus getting a unique client id and client secret), this could be used to allow/disallow users from authenticating to the ADFS for a given (registered) client (relying party).
It appears that this is possible by defining two applications in the same application group:
The server application, which has a client secret in addition to client id
The WebAPI application, for which you can define an access policy.
In order to make this work, you need to assign the relying party identifier (the client id of the server application) to the WebAPI identifiers and ensure that the "Client permissions" of the WebAPI application contain the server application.
If the access policy is not evaluated successfully, the relying party (the application requesting authentication) will receive an access_denied message.
Application group:
Server application:
WebAPI application:
I have an internal LOB Silverlight client that uses business logic in a self-hosted WCF service (cross domain).
I'm thinking of using ASP.NET AuthenticationServices. How would I set this up with my self-hosted WCF service?
Call ASP.NET AuthenticationService from Silverlight to authenticate user? But this would not protect my self-hosted service...
Send username/password in every request from Silverlight and in my self-hosted service call ASP.NET Authentication Services? (Feels a bit backwards?)
Call ASP.NET AuthenticationService from Silverlight to authenticate user, send username/password in every request from Silverlight to allow logging etc, and use some other means to protect my service?
Is there some way to glue this together or is ASP.NET AuthenticationService not meant to be used when having a self-hosted WCF service?
All of the research I've done on the WCF Authentication Service indicates it's usage is for same-domain (RIA-like) applications. It sets the HttpContext.Current.User and creates a user session, so you can restrict your other WCF endpoint in some subfolder of the hosting website and control access via the web.config file. In this scenario, you can use the log the HttpContext user. If you plan to do things cross-domain, I think you'll find you need to use a combination of Transport (HTTPS) and Message security in the WCF binding configuration. This basically means your 2nd bullet point is true and you'll need to set the Username/Pw on the service client credentials (using Windows Auth or forms auth) and all WCF to send them across the wire with each message...