We are using WSO2 Identity server and WSO2 API Manager to manage access.
We give scopes to API and assign scopes to roles.
Now the requirement came like From the application , privileges for roles has to be manipulable.
Suppose if there is a Role like Admin in the application , we have to list activities[scopes] against that Role and Super User can change the scopes against that Role.Superuser can create new roles as well.
So we cant predefine which are all the scopes for the particular roles.
How can i address this via WSO2? How to manage privilages via WSO2?
I believe what you want is to manage the permission each role has.
That you can do with RemoteAuthorizationManager SOAP service.
See docs here.
Related
We are using WSO2IS as IAM server , roles and Users are managed in WSO2IS. WSO2EI WILL be integration server , exposing private APIs
What would be the right way to implement role based access control using , like some set of APIs only to be accessed by users with specific groups. How can I implement this most simplest way ? Is there a requirement of WSO2AM here ?
Thanks
EI is not the ideal way to exposing private oauth secured APIs. Even though you can achieve it with EI, that would be an excessive effort when integrating.
Use API Manager to expose the APIs to your crowd. Configure Identity Server as the Key Manager (Token Manager) of the APIM server. APIM server knows how to talk to the Identity Server to generate and validate access tokens. So there's no explicit effort to integrate the resource server(APIM Gateway) with the authorization server(IAM).
Share the user store between both the servers. (IS and APIM)
Configure IS as the Key Manager of the API server.
Register your API in the publisher/developer portal.
When publishing, you can define role based access restrictions to your API resources from the Publisher portal. (Roe : Scope mapping)
Once you define, IS will always check your roles upon providing an access token for you.
As you've already defined a role : scope mapping, scopes you request in your token generation request, will only be accepted if you (requester) has the expected roles. Therefore, the scope of your token will only be as good as the roles you've got assigned to yourself. Now, as the API resources you've published require a defined set of scopes, not all the access tokens will be accepted when trying to access the APIs. Only the ones with the expected scopes.
Configure IS-KM with APIM
Role based scopes
I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft
I have configured WSO2 API Manager integrated with WSO2 Identity server.
I have created some API's and created some scopes , roles to it..
But currently i cant see any scopes in the applications ,when i try to generate key..
What could be the reason? I have been changing many configuration files for deploying this in EC2.Could any of them cause this issue?I have no errros in console..how can i debug this?
Only the scopes which are assigned to API resources will be shown there.
As #Bhathiya mentioned we need set scope on resource of API.
Please refer this article for more details on how to set scope for resource. [Article] How to Use OAuth 2.0 Scopes to Provide Role-Based Authorization to APIs Exposed via WSO2 API Manager by Nadeesha Gamage.
I have tried myself and it worked. PFA Screenprint.
1. Set Scope on resource.
2. Scope was available to generate key
I have set the roles to user while testing. In your case you need define roles in integrated wso2 identity server.
I am using a combination of WSO2 Identity Server as key server and API Manager for API authorisation against roles.
My requirement is to provide Business users a UI where they can add a user, role and that should reflect in the WSO2. I am using the default user store.
How can I programmatically do this? Is there a REST service which I can use?
You can do user management functionalities programmatically using the User Management APIs exposed as SOAP services. These APIs allow you to manage user, user roles and claims etc.
If you cannot use the SOAP services you can use the SCIM API which is a REST endpoint to do operations such as create, delete users. However, this has limited capabilities when compared to the User Management SOAP APIs.
You can use identity server's SCIM REST APIs to add users and roles.
Before using this API, you have to enable SCIM in your userstore configurations in user-mgt.xml.
<Property name="SCIMEnabled">true</Property>
I want to setup custom authentication flow for some applications, registered in Wso2 Api Manager. Say for some applications I want to direct them to federated IDP when they request access token using authorization code or implicit flow. As a key manager I use IdentityServer.
I know that in Identity server I can create Service provider and setup custom authentication scheme for it, e.g. using Federated Authentication. Unfortunetely this service provider can't act as a subscriber for apis in Api Manager. I found an article that describes how to override default auth scheme, but I don't what override defaults.
Is it possible to setup custom IDP only for specific applications and avoid tuning default authentication scheme for oauth flows. The reason here is that I still want to use attached userstores for most of the applications but override that behaviour only for some predefined applications.
WSO2 APIM 3.2.0 onward it supports multiple key managers support. With that, you can create an application binding to a specific key manager you register. You can register a KM from UI and by default, it supports multiple IDPs like okta,oauth0 and WSO2 IS.