We are trying to get the ngnix + work as an API gateway with JWT token authorization.
https://auth0.com/blog/use-nginx-plus-and-auth0-to-authenticate-api-clients/
We are following the below document , but one question is not clear , how the front end will get the JWT token , that need to be passes as -H in every request ?
Logically, the ngnix should expose one api to generate tokens. How this can be achieved.
Nginx can only validate, not generate JWT. You need to generate the JWT inside your application using the same secret key. See the Nginx blog for an example (Section "Issuing a JWT to API Clients"). In their example, they issue a JWT using shell commands but of course you can also do this with a JWT library of your choice inside your application.
Related
I have two components:
mydomain runs a nextjs along with next-auth.js
api.mydomain runs a back-end API that mydomain's client points to make some request
Mydomain is authenticated via the Next.js's Github provider, and as long as I get next-auth.js creates a JWT session which is sent to the client as a form of a cookie (correct me if I'm wrong). Then, if you need some info about your authentication, you can use the hook useSession on front side in order to access your JWT session.
My frontend is not using the api nextjs' functionality though: it communicates with an API through axios HTTP calls, which is deployed separately. What I would like to do is passing the Nextjs' JWT to my backend in order to verify authentication and authorization, but I'm not sure if it's possible, safe and recommended.
So: how could I accomplish that? The only alternative I see is generating a separated JWT token within the JWT callback, pass back to the front and use it for my calls, but I see it like a redundant thing actually, like embedding a JWT within a JWT.
Here is what I'd like to do in summary:
I have a Django Rest Framework api that uses bearer token for authentication behind Nginx reverse proxy. I'm setting up basic authentication to protect the proxy in the development server, but I'm not sure what's the best way to protect the api using both authentication methods. I need two authentication methods, because I'd like only admins to be able to see the api page (even if the private information were only accessible to people with the bearer token). I have read that using multiple values in the Authorization header is not compatible with the spec, so I was thinking that maybe I could switch the header used by Django from Authorization to "Custom-Authorization", but the solution seems hack-ish. I'd rather have an Nginx solution for this (and even use custom header for basic auth if that were possible). What would you recommend?
You find the answer here: Multiple HTTP Authorization headers?
=> basic authentication and bearer token are sharing the same header. This is basically the reason why it is not working.
I have an API that is running on Google App Engine. I am using the flexible environment with Python. The flexible environment docs point to this example even though the example is for the Standard environment.
The example shows how to use Firebase to authenticate users to access the API using email and password.
It works really fine for the Flexible environment also. As on the example provided by Google, my API checks the authentication using:
id_token = request.headers['Authorization'].split(' ').pop()
claims = google.oauth2.id_token.verify_firebase_token(
id_token, HTTP_REQUEST)
if not claims:
return 'Unauthorized', 401
The problem I am having is with testing. I can't figure out how to use Postman native app to authenticate and send the Authorization parameter on header so my API will respond back.
On Postman Authorization tab, I used the Bearer option. I used the same token from one web session but it was not valid. I also tried with OAuth2 but it is not clear what to fill on some parameters such as scope.
This page should help: https://developers.google.com/identity/protocols/OAuth2WebServer. Look at the HTTP/REST examples to help configure your Postman requests.
If you can use curl, or have Postman give you equivalent curl commands, you should post them here, with the actual auth tokens redacted. You may get more help that way.
I've been going through this tutorial which shows how to secure a single page application using several scenarios going from simple to our own Authorization Server that delegates authentication to a provider. The first scenario uses the Authorization Code Grant to log the user in.
Suppose we replace Facebook's OAuth Server with our own in this case and configure it to return a JWT token.
Which OAuth flow should the SPA use if it wants to use the JWT token to secure requests through an edge server that load balances between resources servers?
Also how should spring boot / spring security be configured if we want to use the JWT token to replace the replace the default JSESSION and CSRF support in spring? IIUC the JWT token can be used as a replacement to both of these features.
Update
Based on Manish's answer assuming we are using OAuth 2 implicit flow we:
Put the #EnableResourceServer annotation on the Resource Server
Use an OpenID Connect client to implement the implicity flow
So once this is done are POST request secure assuming each request includes the JWT token as a Bearer Header, or do we need to also configure CSRF?
It will depend on how much your application is sensitive to security but Implicit flow is recommended for pubic client (SPA).
Tutorial is based Authorization Code flow and if you will replace Facebook with your STS, it will still use Authorization Code flow because #EnableOAuth2Sso store the JWT token on server and send the cookie to browser and it also uses refresh token to get the new JWT token. It is a customize flow to implement the Authorization Code flow with public client (SPA) based on API gateway pattern.
To implement the implicit flow - Do not use the #EnableOAuth2Sso at server side, just expose the REST API and secure it with #EnableResourceServer. And you need to use the oidc-client to implement the implicit flow link is here https://github.com/IdentityModel/oidc-client-js
CSRF protection is only required if you will store JWT token or session identifier in the browser's cookie.
I have an admin-console for an existing service that I want to provide access to by adding login, using our company's OAuth 2.0 service. I want to use Apigee here, so that the web-app with the admin-console does not have to implement the login-logic.
My idea was to use AuthorizationCode flow and let Apigee manage the tokens and I looked into https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/oauth-login-app, but I really can't see how our existing OAuth service fits in.
Is there a sample like that? Perhaps using Google's or Facebook's OAuth service to authenticate the user?
First, Apigee needs to be a proxy into the admin-console. This means that all traffic to the admin-console has to go through Apigee. Otherwise, you won't be able to enforce authentication.
Second, there are a couple different options for integrating with the external oauth 2.0 service. Apigee has the ability to store an external access token and use it as its own, or Apigee can generate a token and store the external access token as a custom attribute.
High level thoughts on how the Apigee proxy could look like:
ProxyEndpoint - endpoint exposed to clients connecting to admin console
TargetEndpoint (not shown in that oauth login-app example) - endpoint for the actual admin console
The flows that execute in the Apigee proxy before sending the request to admin-console will need to implement logic that checks an authentication token. If it's valid, let the request pass onto the TargetEndpoint (admin-console). If the request isn't valid, step through logic that goes calls the external oauth 2.0 server's auth code flow. This will require the following:
Apigee needs to be registered with external oauth 2.0 server.
Logic needs to be built in this proxy to support the redirection based flow of authorization code grant_type (obtaining auth code, receiving the auth code, obtaining token --> all while being redirection based and transparent to user).
In addition to #2, Apigee will need to store the external token as custom attribute and expose the apigee token, or store the external token for verification purposes later on. http://apigee.com/docs/api-services/content/authorize-requests-using-oauth-20 (see Delegating token management). After the token is stored, you'd need to respond with another 302 redirect to the initial uri + token so the request can pass through to admin-console as an authenticated request.
#2 isn't exactly straight-forward and there won't be an example proxy that shows this implementation. If the oauth 2.0 service supported a password grant, it may simplify the implementation, but allows the credentials to pass through apigee and not directly with the authorization server.