I work on API Platform as simple API and it's pretty easy to use !
Because I have other applications which use Keycloak as OpenID provider I need to integrate a Oauth2 provider or a Keycloak Provider ....
I see in configuration in docs there is a key "oauth" and we can specify clientId, secret and other values but I don't know where this conf is use. There isn't a 403 but still 200 with "enabled: true" on requests...
May be I could use this provider
https://github.com/stevenmaguire/oauth2-keycloak for Symfony but I don't understand where I can add it in API Platform.
I'm only a beginner on apiPlatform and in Symfony Too.
If Someone could help me... It would be awazing !
Thank You (modifié)
Related
One question I’ve had recently about how the JWT middleware in asp.net core works is related to the Authority URL you can set if you want to verify tokens using an identity providers asymmetric keys (JWKS based presumably). All examples I’ve seen completely fail to explain what this authority URL should be. Some auth0 examples say it’s just your auth0 domain - but if that’s the case then how does the middleware locate the public key from this base URL? Every provider has a different convention for the endpoint where a JWKS can be found - so how does this work?
My requirement is that I need to use a home grown identity provider where the JWKS endpoint is totally different to auth0, okla, identity 4 or whatever other providers are using.
Is there some standard discovery mechanism that all these providers use that I’m not aware of? Do I need to have this same discovery mechanism in place I’m the in house identity web app for this middleware to work?
Thanks!
Generally, OpenID connects provider follows the standard and provides a discovery endpoint which includes all necessary endpoints and public key location information.
OpenID connect specification: https://openid.net/specs/openid-connect-discovery-1_0.html
Auth0 exposes OIDC discovery documents (https://YOUR_DOMAIN/.well-known/openid-configuration). These can be used to automatically configure applications.
https://auth0.com/docs/protocols/oidc/openid-connect-discovery
IdentityServer 4 allows to include extra endpoint to the discovery document. http://docs.identityserver.io/en/latest/topics/discovery.html
We currently use WSO2 Api Manager to reach some backends.
The thing is, the consumer must :
First authenticate to the API Manager (Oauth)
Then authenticate to the Backend api (Whatever security in place, as options provided by API Manager to handle it itself is quite poor)
Make the call
I find it heavy :
Many calls just to do one real call.
Loose the "loose coupling" advantage API Managers should provide
Do you think we are doing right ? Shouldn't Api Managers deal with backend authentication ?
Thanks in advance for your help !
This depends on how you want to do this. It is not mandatory to have Oauth2 protection and backend authentication. This can be done in the following ways.
If you want only to allow backend authentication
Then you can set the Authentication type to None. Then Oauth2 won't apply. - https://wso2.com/blogs/cloud/oauth-and-authentication-type-application-vs-application-user/
You can allow Oauth2 only
If your backend is insecure and needs a way to expose, this is the best option.
If you need both authentications
There can be some cases that your backend is used by some other parties and there is no option to remove backend authentication. Also, you need the Oauth2 protection for the API and make it secure in API gateway level. Then this is the option.
Hope this is clear. WSO2 has these capabilities and you can chose any option.
In HWioauth Bundle we must provide infos_url but drupal doesn't seems to have such api url, and all said oauth2 require ssl. Is it neccessarily required that my app doesn't seem to get authorization_code from the oauth server(drupal site as a oauth server)
Yes, it's necessary for production environment. Because OAuth 2.0 use the client_id, secret_id and passwords in request URL as query variables.
But if you are using it development mode in your computer it will work. Https not a requirement for OAuth logic, it's about only security.
I'm learning how to develop with Symfony2 and I would like to create a RESTful Oauth server (No a Oauth client for Facebook,twitter etc...).
I saw FOSOAuthServerBundle but it doesn't look like a Oauth provider...
Could you recommend me a good bundle for that?
The best oAuth server provider I used id for symfony2 is FOSOAuthServerBundle.
It will provide all Oauth functionality for you.
The configuration is little bit tricky,
This blog will help you to configure the oAuth Server by using FOSOAuthServerBundle .
I am using Spring MVC project in the server to provide APIs to access data from both mobile-app and web-app.
Done research on security with Oauth 2.0 and thought Authorization code flow is suitable for both app's mentioned above, but little confusion on that. Can anyone tell which flow is best suitable for this type of scenario?
info:I need to implement Oauth 2.0 in server-side(Spring MVC project deployed in AWS).
If you are implementing your own authorization server and you already handle your consumerDB, I don't think you need an authorization code grant type of oAuth2. You can use Client Credential or ROPC. Authorization code is used when the log in is handled by a 3rd party (auth server).
There are 4 grant types in oAuth2 which is meant for different scenarios.. Refer : Securing an existing API with our own solution