I wanted to setup API Manager generating JWT tokens. We setup IS as key manager. user will get authorized from IS, API Manager should generate JWT and send it to microservices. I setup a JWTSecurityInterceptor and CustomJWTClaimsInterceptor in the microservices. but when it got the JWT token from API manager, it has the exp setup as past time and always getting "Token has expired" error. PLease help me what am I doing wrong.
I followed this doc to setup the JWT generator in AM. https://docs.wso2.com/display/AM200/Passing+Enduser+Attributes+to+the+Backend+Using+JWT
I am using AM 2.0.0 and IS 5.2.0.
Thanks
Ravi Ada
Related
Cant establish persistent API connection to GA4 from Make (formerly Integromat). I use an HTTP OAuth 2.0 connection
I've enabled the Google Analytics Data API v1
In GCS I've created a project, Enabled the above mentioned API with authorized domains integromat.com and make.com and also created an OAuth 2.0 app. The scopes I added was:
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/analytics
I created credentials for a web app with the Authorized redirect URI’s of
https://www.integromat.com/oauth/cb/oauth2
https://www.integromat.com/oauth/cb/google/
The connection works but only for a short period (I assume the token expires). To try and mitigate this I created a service account. That does not work as I cant find a way to add an authorised URI to a service account. This is the Make error:
Error 400: redirect_uri_mismatch
You can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy.
If you’re the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=https://www.integromat.com/oauth/cb/oauth2
Any ideas please? I’m truly stuck
Your question lacks a bit of information as to what it is exactly you are trying to do. However there is enough here that I can help you clear up a few issues or miss understandings.
Oauth2
Oauth2 allows your application to prompt a user to request permission to access their data. The authorizaton server returns to you an access token, this access token is good for only an hour and then it will expire.
If you are using a server sided programming language then you can request offline access, at which point the authorizaiotn server will return to you an access token and a refresh token. The refresh token can then be used by you when needed to request a new access token.
service accounts.
Service accounts can be used if you are only accessing private data that you the developer own. You can create a service account, then go in the admin section of the google analytics website and add the service account as a user it will then have access to that account. There will be no need to request consent of a user to access the data it will just work. Note: service accounts only work with server sided programming languages.
redirect uri issue.
The redirect uri must exactly match the web page that your application is sending. In this case the error messages says you are missing https://www.integromat.com/oauth/cb/oauth2 you should add that.
Google OAuth2: How the fix redirect_uri_mismatch error. Part 2 server sided web applications.
So, I have 3 microservices and only 1 of them is used for Authentication - it uses ASP.NET Identity.
I am issuing a token every time successful login occurs, which contains claims such as Id, Username, Balance (money), Roles.
When this JWT is created how can I pass it to other APIs? Is it necessary to use API Gateway or not? Is it bad practice to store it in local storage?
If it is not necessary, can I store this JWT as Cookie and pass it to my other APIs?
And if so -> how can I create some kind of session in my other APIs, depending on that cookie?
I am very confused on 2 main topics - how other APIs will know about this token and how in each API I can create authenticated/ authorized session, because most of the tutorials use Postman and on each request they pass this auth/ bearer token. But this is not applicable in real world situations, at all.
Instead of creating JWT auth in every API, First implement API
gateway and intergrate JWT stuff in that API Gate way.
API gateway will authenticate all api calls and will send requests
according their endpoints.
In my real scenario we are Used Ocelot API gate way and it is
open source.
I have been trying to configure WSO2 API manager as our API Gateway. I am facing below issues while configuring and testing.
Authorization of apis migrated to WSO2
Getting JSONObject["exp"] not found. when trying to access API with Token
Not sure about the client ID which has to be given for Authorization URL: https://localhost:8243/authorize
Is this URL: https://localhost:8243/authorize is the one we use for authenticate the APIs
Have used carbon for creating users, Service and Identity providers, Are they related to each other and how can we use it for the JWT authentication
Is this subscription means creating a user for using API?
How i can group multiple APIs into a microgateway
Please help me
Thanks
How can I pass the access token created on an OpenIdConnect Federated IDP to the developer application?
Currently, the federated access token doesn't get passed through the API Manager and the API Manager generates a new access token for the application.
You won't be able to plug in an external IDP and generate access tokens using an out-of-the-box API Manager. But you can implement a custom keymanager implementation and plug external third party keymanager to API manager and then use that tokens. See Configuring a Third-Party Key Manager in the product documentation regarding this. It has a sample where "Surf OAuth Authorization Server" is use as the key manager. You will be able to implement similar thing for your scenario.
following are some good posts related to this feature.
https://amilasnotes.wordpress.com/2015/06/20/customizing-key-validation-flow/
https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview/
https://amilasnotes.wordpress.com/2015/06/07/provisioning-oauth-clients-created-out-of-band/
I have used Owin in the past to create a token endpoint in my Mvc Web Api projects to provide oauth 2.0 tokens with "Resource Owner Password Credentials" grant type where access token provider would check a database user table to verify the validity of the credentials supplied by the mobile client (multiplatform App developed with Visual studio tool for Cordova).
In this project, the Web Api will be consumed by a multiplatform Mobile app used by Active Directory Windows domain accounts
I would like to use Owin Oauth 2.0 to grant an Access Token to these users but I don't know how to check the validity of these credentials.
What I was thinking is to put the /token endpoint behind "basic authentication" and in the code of the Access Token Provider get the user from the Identity that, in case of authenticated used, should be automatically created by the Asp.net pipeline.
Is it something that could work?
Do you know any better idea to use Oauth 2.0 for AD Windows Accounts?
Note:
I'm also investigating if Active Directory is able to provide an Oauth 2.0 endpoint by itself.
Here is a pretty good walkthrough of how to use Active Directory Federation Services to obtain an OAuth2 token.
https://technet.microsoft.com/en-us/library/dn633593.aspx.
You'll have to follow all the links at the bottom to get the entire walkthrough.
Note that it refers to using Windows Azure AD Authentication Library for .NET. But according to that documentation, that library is used for both Azure Active Directory and on premises Active Directory.
As for the workflow, once authenticated you'll be able to obtain and present a bearer token to your WebAPI. Your WebAPI then "validates the signature of the token to ensure it was issued by AD FS, checks to see if the token is still valid and hasn’t expired and may possibly also validate other claims in the token. At this point, the client is either authorized and the information they requested is sent in the response or they are unauthorized and no data will be sent." - https://technet.microsoft.com/en-us/library/dn633593.aspx
You could use ADFS 3.0 on top of AD which would provide you with OAuth 2.0 Authorization Server functionality: http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
Putting the token endpoint behind "basic authentication" does not help you because you'd be authenticating the client on the token endpoint, not the user. You could put the authorization endpoint behind "basic authentication" though.