Apigee shared flow to validate token - apigee

I am using Apigee as gateway to our application. Several applications will hit Apigee and Apigee will in-turn route the request to backend servers. Every incoming request will have a JWT token.
I want Apigee to pass that token to a auth server and auth server will validate if the token is valid or not.
If token is invalid(if auth server return any status other then 200) , I want Apigee to return 403 error as response to request else pass the request to backend server.
How can I implement this kind of shared flow? Is it even possible with Apigee ? Is there any better way to achieve this?

You can do that.
Create a shared flow for Authentication/Authorization which includes ServiceCallout policy which will make a call to auth server.
Based on result for Unauthorized/Bad request you can raise a fault response with help of RaiseFault.
If the response is OK it will proceed smooth to backend.
Sample shared flow.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlowBundle revision="1" name="Auth">
<Policies>
<Policy>AssignVariableJwks</Policy> <!-- Assign Input values if needed via AssignMessage policy -->
<Policy>RequestAuthServer</Policy> <!-- Extrnal auth server call using ServiceCallout policy -->
<Policy>TokenNotFoundValidation</Policy> <!-- Validate response and raise fault if needed using RaiseFault policy -->
</Policies>
<Resources/>
<Spec/>
<subType>SharedFlow</subType>
<SharedFlows>
<SharedFlow>default</SharedFlow>
</SharedFlows>
</SharedFlowBundle>
For above shared flow create & attach required policies with logic and you're good to go.

Related

Forbidden error for Exchange Web Service request with Authorization Code Flow

The Exchange Web Service requests to https://outlook.office365.com/EWS/Exchange.asmx with the access token received by the OAuth 2.0 Authorization Code Flow results to a status code 403 Forbidden.
Steps:
Opening and authorizing the application with https://login.microsoftonline.com/common/oauth2/v2.0/authorize and the parameters:
Name parameter
Value
client_id
5fafd813-xxx
response_type
<redirect uri specified in azure>
respone_mode
query
scope
openid offline_access email https://outlook.office.com/Calendars.ReadWrite https://outlook.office.com/EWS.AccessAsUser.All
After authorization with my personal account, this redirects to the specified redirect uri with a code.
Generate a token via https://login.microsoftonline.com/common/oauth2/v2.0/token with the parameters:
Name parameter
Value
client_id
5fafd813-xxx
response_type
<redirect uri specified in azure>
respone_mode
query
scope
openid offline_access email <outlook url>/Calendars.ReadWrite <outlook url>/EWS.AccessAsUser.All
client_secret
6Mp8Q~4...RD
code
<code from the previous step>
This generates an access token and refresh token
Getting the Calendar Folder Id with a SOAP request by passing the received access token in Authorization: Bearer <access token>:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
xmlns:soap="xxx/soap/envelope/"
xmlns:t="xxx/exchange/services/2006/types"
xmlns:m="xxxx/006/messages">
<soap:Header>
<t:RequestServerVersion Version="Exchange2010_SP2" />
<t:MailboxCulture>en-US</t:MailboxCulture>
<t:TimeZoneContext>
<t:TimeZoneDefinition Id="Eastern Standard Time"/>
</t:TimeZoneContext>
<t:ExchangeImpersonation>
<t:ConnectingSID>
<t:PrimarySmtpAddress>xxx#hotmail.com</t:PrimarySmtpAddress>
</t:ConnectingSID>
</t:ExchangeImpersonation>
</soap:Header>
<soap:Body>
<GetFolder
xmlns="http://schemas.microsoft.com/exchange/services/2006/messages">
<FolderShape>
<t:BaseShape>IdOnly</t:BaseShape>
</FolderShape>
<FolderIds>
<t:DistinguishedFolderId Id="calendar">
</t:DistinguishedFolderId>
</FolderIds>
</GetFolder>
</soap:Body>
</soap:Envelope>
Unfortunately this results to 403 Forbidden
Is the scope of the authorization incorrect ? Is the SOAP request incorrect ?
Notes:
I tested the SOAP request without impersonation that changed nothing
I tested the SOAP request with the Client credentials flow and a private account onmicrosoft that worked correctly

Sabre: GetReservation equivalent to TravelItineraryRead

I'm implementing GetReservation because TravelItineraryRead will soon be deprecated.
When creating a PNR, I get successful responses of GetReservation, but when I try to query the previously created PNR, Sabre WS rejects with "Viewership is restricted for the PNR, caused by [Viewership is restricted for the PNR (Unsupported security check), code: 700102, severity: MODERATE"
I'm connecting to Sabre WS via SOAP, in test endpoint https://sws-tls.cert.sabre.com.
The RQ I'm sending is:
<GetReservationRQ xmlns="http://webservices.sabre.com/pnrbuilder/v1_19" Version="1.19.0">
<Locator>XWYZA</Locator>
<RequestType>Stateless</RequestType>
<ReturnOptions PriceQuoteServiceVersion="3.2.0">
<SubjectAreas>
<SubjectArea>FULL</SubjectArea>
</SubjectAreas>
<ViewName>Full</ViewName>
<ResponseFormat>STL</ResponseFormat>
</ReturnOptions>
</GetReservationRQ>
I've tried with others Views and SubjectAreas, but I always get that response, what am I doing wrong?
The problem was that I needed to send RequestType: Stateful instead of Stateless
<GetReservationRQ xmlns="http://webservices.sabre.com/pnrbuilder/v1_19" Version="1.19.0">
<Locator>KDQPNP</Locator>
<RequestType>Stateful</RequestType>
<ReturnOptions PriceQuoteServiceVersion="3.2.0">
<SubjectAreas>
<SubjectArea>FULL</SubjectArea>
<SubjectArea>PRICE_QUOTE</SubjectArea>
</SubjectAreas>
<ViewName>Full</ViewName>
<ResponseFormat>STL</ResponseFormat>
</ReturnOptions>
</GetReservationRQ>

How to specify Logout Service in the PingFederateSLOURL in mod_pf configuration

We are using PingFederate as Service Provider and are using Opentokenadapter.
We are also using mod_pf apache library provided by PingFederate.
Is there any way we can configure "Logout Service (present in OpenToken Adapter )" in the mod_pf configuration? Is there any query parameter for it just like we have for PartnerIdpId, TargetResource etc?
The Apache Integration Kit's mod_pf.conf refers to the /sp/startSLO.ping application endpoint. In that configuration file is where you will configure various bits for the integration... You can review the /sp/startSLO.ping options as listed here:
https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#concept_spServices.html#concept_spServices
The "Logout Service", as defined in the adapter, is where the browser will be sent to for an SLO that will destroy any current session within the SP Application. By spec, that application must return BACK to PingFederate, so that PingFederate can respond back to the IdP with a success/fail. If you plan to support SLO, then this "service" must exist. It's "goal" will be close the session, and redirect back to PingFederate with a success.

Apache Oltu Linkedin Integration example

I am looking forward to developed the Spring MVC + Apache Oltu + Linkedin integration example. In this example, you need to send Client ID and Client Secret to access the private resource from the Linked in Site.
First Step - we need to create App in Linkedin, follow the steps: http://codeboxr.com/how-to-create-linkedin-app.html
Once App is created, you need to make sure you've given value for the redirect URL.
In the java code I used
setScope("r_network w_share r_basicprofile")
setState("987654321")
When I used the following code:
request= new OAuthBearerClientRequest("https://api.linkedin.com/v1/people/").buildQueryMessage();
I get the following errror. Could anyone please?
Could not access resource: 401 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error>
<status>401</status>
<timestamp>1429554559432</timestamp>
<request-id>QJWNLL5PWX</request-id>
<error-code>0</error-code>
<message>Unknown authentication scheme</message>
</error>
An important thing, I am getting correct details below, but seems accessing private resources:
{"access_token":"SQXZVmVM05AOzDB_DdBm5iaJkrEC8oK-FgE1m1snEZbMcKUODew9I0ZQ6NWc8JtGDxTtEd-yyPul0FtF3-hG4ah6LZ9P4oaSVuhhtybRFmjfsZcJwOs5Lm2IDUGQnjmq5EdT3PVR7Bocq31VBXg0JtkQdImab945oicO_w2j6CjlByp-bWw",
"expires_in":5108376}
It seems that you're successfully obtaining an OAuth 2.0 access token, you'll need to pass access_token in a query parameter when making API calls. That's how OAuth 2.0 authentication is handled (OAuth 1.0 required the access token to be in the header whereas OAuth 2.0 relies on a query parameter).
For example:
GET https://api.linkedin.com/v1/people/~?oauth2_access_token={your-access-token}
Please follow the link, if in case requires more details: https://developer-programs.linkedin.com/forum/unknown-authentication-scheme
If you send token along with the request to access protected resources, then you should be getting the following details.
The corrected code snippet:
request= new OAuthBearerClientRequest
("https://api.linkedin.com/v1/people/~?oauth2_access_token="+oAuthResponse.getAccessToken()).
buildQueryMessage();
In My Example, I am getting the following HTTP 200 OK response, just wanted to show you..
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<person>
<id>LLIyXMKhNI</id>
<first-name>FirstName</first-name>
<last-name>LastName</last-name>
<headline>Spring Developer at Amazon</headline>
<site-standard-profile-request>
<url>https://www.linkedin.com/profile/view?id=154416688&authType=name&authToken=ipNL&trk=api*a4360331*s4423501*</url>
</site-standard-profile-request>
</person>
Hope this will be help you.

Integration Testing of secure Spring Web Service

I am trying to write server side integration tests of my Spring Web Service Endpoint secured using
- Spring WS Security 2.1.2.RELEASE and
- WSS4j 1.6.9.
I am trying to follow Spring documentation http://static.springsource.org/spring-ws/sites/2.0/reference/html/server.html. With the setup that I have got so far, I can send a request payload
<myns:MyRequest xmlns:myns="...">
...
</myns:MyRequest>
using MockWebServiceClient as
mockWebServiceClient.sendRequest(withPayload(requestPayload)).andExpect(clientOrSenderFault());
which the integration test properly maps to the endpoint in the test context and I get a "Could not validate request: No WS-Security header found" error as expected.
Problem: Now the problem here is if I send a request in a SOAP envelope with a security header and body, I would get an endpoint not found exception.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:myns="...">
<soapenv:Header>
...
</soapenv:Header>
<soapenv:Body>
<myns:MyRequest>
...
</myns:MyRequest>
</soapenv:Body>
</soapenv:Envelope>
since it will try to find an endpoint around "{http://schemas.xmlsoap.org/soap/envelope/}Envelope".
Is there a way to work around this problem?
The newer version of Spring WS Test which is 2.1 has two methods added in RequestCreaters: RequestCreators.withSoapEnvelope(Source soapEnvelope) and RequestCreators.withSoapEnvelope(Resource soapEnvelope) which allow sending SOAP envelopes for Integration testing. http://forum.springsource.org/showthread.php?135298-Integration-Testing-of-secure-Spring-Web-Service

Resources