I have build an API using API Platform with the auto-generated OpenAPI docs (SwaggerUI).
I also have endpoints secured for specific user roles (also some properties are secured using ApiResource security.
Now I want to generate OpenAPI docs only for the allowed endpoints and properties based on that role.
Is that even possible? And if so: how?
Related
I have a web site that calls an API. To call the API from the web site I'm getting first a jwt token using GetAccessTokenForUserAsync(scope).
My problem is that this method doesn't retrieve user's roles inside the jwt token.
My user.identity.claims has a few roles but they are not include in the jwt token.
What I'm missing?
I'm to trying to including the roles in the jwt token because I need to secure my api methods. For example, a method can be called only by AdminMember, other method only can be called by SpecialMember.
Is there another way to secure my api without sending my user's roles?
Thanks
Since the roles are defined in your client app's registration, they will only be available in its tokens.
So, there are fundamentally two options:
Define the same roles in the API app registration as well. You will need to assign the roles on that app as well to the users. This could be made easier by using groups for the role assignments.
Change the API to use the same app registration. Now you will get the roles in the access token. Using one app registration can mean violating least privilege since then any permission you want to give to either the API or client app will be given to the other as well.
Depending on your case, you can choose either option :)
We are using WSO2IS as IAM server , roles and Users are managed in WSO2IS. WSO2EI WILL be integration server , exposing private APIs
What would be the right way to implement role based access control using , like some set of APIs only to be accessed by users with specific groups. How can I implement this most simplest way ? Is there a requirement of WSO2AM here ?
Thanks
EI is not the ideal way to exposing private oauth secured APIs. Even though you can achieve it with EI, that would be an excessive effort when integrating.
Use API Manager to expose the APIs to your crowd. Configure Identity Server as the Key Manager (Token Manager) of the APIM server. APIM server knows how to talk to the Identity Server to generate and validate access tokens. So there's no explicit effort to integrate the resource server(APIM Gateway) with the authorization server(IAM).
Share the user store between both the servers. (IS and APIM)
Configure IS as the Key Manager of the API server.
Register your API in the publisher/developer portal.
When publishing, you can define role based access restrictions to your API resources from the Publisher portal. (Roe : Scope mapping)
Once you define, IS will always check your roles upon providing an access token for you.
As you've already defined a role : scope mapping, scopes you request in your token generation request, will only be accepted if you (requester) has the expected roles. Therefore, the scope of your token will only be as good as the roles you've got assigned to yourself. Now, as the API resources you've published require a defined set of scopes, not all the access tokens will be accepted when trying to access the APIs. Only the ones with the expected scopes.
Configure IS-KM with APIM
Role based scopes
We are working on an application that uses firebase for authentication purposes. We implemented the authentication mechanism in our angular application and everything works fine. what we want now is to add custom claims to the JWT tokens generated once the user is authenticated. We know about the Admin SDK here:
https://firebase.google.com/docs/auth/admin/custom-claims
but this requires the addition of a web service. is there a way to configure firebase via the portal to add a default custom claim for all existing users and new users. what we want is to add an "id" field with random GUID. is it possible to use the Admin SDK to configure this behaviour once and for all?
Thanks in advance.
There is no way to add custom claims without using the Admin SDK. This requires that you run a script on a trusted environment, such as your development machine, a server you control, or Cloud Functions for Firebase. The latter is probably your best option if you want to do this regularly, and don't have your own server.
I am using a combination of WSO2 Identity Server as key server and API Manager for API authorisation against roles.
My requirement is to provide Business users a UI where they can add a user, role and that should reflect in the WSO2. I am using the default user store.
How can I programmatically do this? Is there a REST service which I can use?
You can do user management functionalities programmatically using the User Management APIs exposed as SOAP services. These APIs allow you to manage user, user roles and claims etc.
If you cannot use the SOAP services you can use the SCIM API which is a REST endpoint to do operations such as create, delete users. However, this has limited capabilities when compared to the User Management SOAP APIs.
You can use identity server's SCIM REST APIs to add users and roles.
Before using this API, you have to enable SCIM in your userstore configurations in user-mgt.xml.
<Property name="SCIMEnabled">true</Property>
I want to setup custom authentication flow for some applications, registered in Wso2 Api Manager. Say for some applications I want to direct them to federated IDP when they request access token using authorization code or implicit flow. As a key manager I use IdentityServer.
I know that in Identity server I can create Service provider and setup custom authentication scheme for it, e.g. using Federated Authentication. Unfortunetely this service provider can't act as a subscriber for apis in Api Manager. I found an article that describes how to override default auth scheme, but I don't what override defaults.
Is it possible to setup custom IDP only for specific applications and avoid tuning default authentication scheme for oauth flows. The reason here is that I still want to use attached userstores for most of the applications but override that behaviour only for some predefined applications.
WSO2 APIM 3.2.0 onward it supports multiple key managers support. With that, you can create an application binding to a specific key manager you register. You can register a KM from UI and by default, it supports multiple IDPs like okta,oauth0 and WSO2 IS.