I'm using WSO2 AM 3.2 in a distributed environment (Publisher, DevPortal, KM , Gateway & Traffic Manager on separate VMs).
I did a Migration from a 2.6 platform , hence all my migrated applications use Opaque AccessToken & not JWT ones (which is the new standard).
I noticed the following behavior :
When I invoque the /Token API with an Application that has an Opaque Tokens : The Gateway Cache works perfectly (the gateway invoques /token on the key manager for the first call only & caches it during 15mn).
But when I invoque the /Token API with an Application that has an JWT Tokens, the Token is never cached , not in the Gateway side Nor the Key Manager side , & it provokes very big problems of performance since the KM always generates & sign a new JWT AccessToken for every call.
Is it a bug in the product or have I missed something ?
Thanks
Related
I have a .net core web REST api (.net 6.0) which uses microsoft identity platform to authenticate and authorize user access from a frontend. That is working fine.
Authentication is configured like this:
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"), subscribeToJwtBearerMiddlewareDiagnosticsEvents: true)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(builder.Configuration.GetSection("MicrosoftDownstreamGraph"))
.AddInMemoryTokenCaches();
The same API should now be consumed by an outlook add-in. I obtain an access token using the office.js getAccessToken() function. If I call the API using this token, I receive:
Bearer error="invalid_token", error_description="The audience
'e1c50fba-abcd-4e63-9f54-xxxxxxxxxx' is invalid".
The AzureAD API registration for the add-in has the permission 'access_as_user' for the REST API.
My current guess is, that I have to use the on-behalf-of flow and the API needs to exchange the add-in token for an token that is allowed to use the REST API. Is this correct? Is there an easy way using Microsoft.Identity.Web to achiev this?
To my knowledge I should not return the exchanged access token to the add-in. So I would have to cache it inside the REST API and alter the the API request transparently such that it includes the correct token (obtained via obo flow). How can I achieve this?
The access token that is returned from the call to getAccessToken grants the host Office application (Excel, Word, etc.) access to the add-in; that is, to the add-in's web application. So, the audience of the token is the ID of the add-in in AAD. If the REST APIs were part of the add-in's web app, then that token would work, but if the REST API is a different web app (with it's own domain and AAD ID) then you would get the invalid audience error. You can either use the OBO (On Behalf Of) flow or the Auth Code flow to get a token with the REST API's ID as the audience, or redesign things so the add-in's web app and the REST service are the same domain and AAD ID. The web app would be serving up both the pages/scripts for the add-in AND exposing the REST API.
We are trying to get the ngnix + work as an API gateway with JWT token authorization.
https://auth0.com/blog/use-nginx-plus-and-auth0-to-authenticate-api-clients/
We are following the below document , but one question is not clear , how the front end will get the JWT token , that need to be passes as -H in every request ?
Logically, the ngnix should expose one api to generate tokens. How this can be achieved.
Nginx can only validate, not generate JWT. You need to generate the JWT inside your application using the same secret key. See the Nginx blog for an example (Section "Issuing a JWT to API Clients"). In their example, they issue a JWT using shell commands but of course you can also do this with a JWT library of your choice inside your application.
I am using wso2 api manager and client application is a angular application.I have an application in the store correspodning to the angular application in the API Manager store . To get the bearer token , the base 64 encoded consumer key and secret of this consumer application has to be passed from angular .
As of now , i kept it in angular and its fine.But want to know if its safe.
If i keep this in angular , any one can see it if they check the source of the application ? Is it desirable.
Here the client key is a public value, but the client secret shouldn't be exposed to the public. For client-side applications, you can use implicit grant type, which will require Client Key only. But this grant type has its own limitations.
Read this for more details.
I wanted to setup API Manager generating JWT tokens. We setup IS as key manager. user will get authorized from IS, API Manager should generate JWT and send it to microservices. I setup a JWTSecurityInterceptor and CustomJWTClaimsInterceptor in the microservices. but when it got the JWT token from API manager, it has the exp setup as past time and always getting "Token has expired" error. PLease help me what am I doing wrong.
I followed this doc to setup the JWT generator in AM. https://docs.wso2.com/display/AM200/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
I am using AM 2.0.0 and IS 5.2.0.
Thanks
Ravi Ada
I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.