I want to setup custom authentication flow for some applications, registered in Wso2 Api Manager. Say for some applications I want to direct them to federated IDP when they request access token using authorization code or implicit flow. As a key manager I use IdentityServer.
I know that in Identity server I can create Service provider and setup custom authentication scheme for it, e.g. using Federated Authentication. Unfortunetely this service provider can't act as a subscriber for apis in Api Manager. I found an article that describes how to override default auth scheme, but I don't what override defaults.
Is it possible to setup custom IDP only for specific applications and avoid tuning default authentication scheme for oauth flows. The reason here is that I still want to use attached userstores for most of the applications but override that behaviour only for some predefined applications.
WSO2 APIM 3.2.0 onward it supports multiple key managers support. With that, you can create an application binding to a specific key manager you register. You can register a KM from UI and by default, it supports multiple IDPs like okta,oauth0 and WSO2 IS.
Related
We are using WSO2IS as IAM server , roles and Users are managed in WSO2IS. WSO2EI WILL be integration server , exposing private APIs
What would be the right way to implement role based access control using , like some set of APIs only to be accessed by users with specific groups. How can I implement this most simplest way ? Is there a requirement of WSO2AM here ?
Thanks
EI is not the ideal way to exposing private oauth secured APIs. Even though you can achieve it with EI, that would be an excessive effort when integrating.
Use API Manager to expose the APIs to your crowd. Configure Identity Server as the Key Manager (Token Manager) of the APIM server. APIM server knows how to talk to the Identity Server to generate and validate access tokens. So there's no explicit effort to integrate the resource server(APIM Gateway) with the authorization server(IAM).
Share the user store between both the servers. (IS and APIM)
Configure IS as the Key Manager of the API server.
Register your API in the publisher/developer portal.
When publishing, you can define role based access restrictions to your API resources from the Publisher portal. (Roe : Scope mapping)
Once you define, IS will always check your roles upon providing an access token for you.
As you've already defined a role : scope mapping, scopes you request in your token generation request, will only be accepted if you (requester) has the expected roles. Therefore, the scope of your token will only be as good as the roles you've got assigned to yourself. Now, as the API resources you've published require a defined set of scopes, not all the access tokens will be accepted when trying to access the APIs. Only the ones with the expected scopes.
Configure IS-KM with APIM
Role based scopes
I'm having separate Dotnet Web Service API to authenticate users. How can I configure it with WSO2 API Manager?
I have already configured WSO2 API Manager with external IDP (Keycloak). Is this is what im looking orcan be achieved in different way.
If you are looking for a way to replace your user store(LDAP/AD/JDBC), with your Dotnet service, you might want to write a new custom user store manager extending the CarbonRemoteUserStoreManger class. There, you should invoke your custom APIs to authenticate, retrieve users. Then you can add a secondary/primary user store with your custom user store manager implementation.
If you want to configure your Dotnet service as a Federated IdP in the API Manager server, you might have to write a Custom Federated Authenticator to communicate with your Dotnet service to authenticate the users. There you should be overriding the initiateAuthenticationRequest and processAuthenticationResponse.
Editing the answer with the new context on issue
In order to generate or validate tokens with an external party(Dotnet service), WSO2 needs to know the service contract of that service beforehand. How you fetch that information to the WSO2 APIM server is by writing an extension to the Key Manger service of the WSO2 APIM server.
By default WSO2 APIM has the implementation to talk to its own Key Manager component and the WSO2 Identity Server. But you need to write the logic (request/response templates) to validate tokens with your dotnet service. This is the official documentation for this. These two Medium posts as well are written on that topic.
Blog 1
Blog 2
Basically, you need to write a simple java extension project to the mentioned interface, so that WSO2 knows how to talk to your service. A sample such implementation written for Okta as a Key Manager is pointed here.
Regarding your concern on validating both the token types;
Yes, it's possible using a custom key manager interface as described above. Once you receive the token at the API Manager side, if you can distinguish if the token was issued by your Dotnet service or by WSO2 itself from your Java logic (May be the token length), then your logic should divert the validation request respectively to WSO2 default Key Validation service (Call super()) or to your Dotnet service call. If you can't distinguish between the two tokens just by looking at them, then you can try both the servers to check if either can validate it. (There's a security vulnerability in that.)
Hope this helps.
I am using a combination of WSO2 Identity Server as key server and API Manager for API authorisation against roles.
My requirement is to provide Business users a UI where they can add a user, role and that should reflect in the WSO2. I am using the default user store.
How can I programmatically do this? Is there a REST service which I can use?
You can do user management functionalities programmatically using the User Management APIs exposed as SOAP services. These APIs allow you to manage user, user roles and claims etc.
If you cannot use the SOAP services you can use the SCIM API which is a REST endpoint to do operations such as create, delete users. However, this has limited capabilities when compared to the User Management SOAP APIs.
You can use identity server's SCIM REST APIs to add users and roles.
Before using this API, you have to enable SCIM in your userstore configurations in user-mgt.xml.
<Property name="SCIMEnabled">true</Property>
How can I pass the access token created on an OpenIdConnect Federated IDP to the developer application?
Currently, the federated access token doesn't get passed through the API Manager and the API Manager generates a new access token for the application.
You won't be able to plug in an external IDP and generate access tokens using an out-of-the-box API Manager. But you can implement a custom keymanager implementation and plug external third party keymanager to API manager and then use that tokens. See Configuring a Third-Party Key Manager in the product documentation regarding this. It has a sample where "Surf OAuth Authorization Server" is use as the key manager. You will be able to implement similar thing for your scenario.
following are some good posts related to this feature.
https://amilasnotes.wordpress.com/2015/06/20/customizing-key-validation-flow/
https://amilasnotes.wordpress.com/2015/05/19/integrating-with-a-third-party-oauth-provider-overview/
https://amilasnotes.wordpress.com/2015/06/07/provisioning-oauth-clients-created-out-of-band/
What are the authentication options for having a ASP.NET web application communicating with a WCF service?
The scenario:
User enters their username and password in an ASP.NET form.
ASP.NET needs to pass this to WCF to authenticate the user.
If authenticated, the user can perform actions on the website. Each action would require sending data to different WCF operations. WCF needs to know who the user is on each call.
The easiest solution would be to store the username/password in the ASP.NET session state. However, this is insecure because the password is stored in memory on the server.
I would rather not use a certificate to authenticate the ASP.NET "client" to the service because there's a possibility that this WCF could be consumed by another client in addition to ASP.NET.
The best suggestion I've seen so far is to use Windows Identity Foundation (WIF). It appears that this requires an STS. According to MSDN, Microsoft does not seem to recommend setting up an STS through Visual Studio. There's no guarantee that an STS would be available in the deployment environment as some environments may use Active Directory and other environments may have a custom user store. Is it possible to setup a custom STS to authenticate against a custom user store? I'm having trouble finding documentation on doing this.
Are there any other options besides using WIF? What about a custom WCF authentication service that returns a token that can be used for authenticating against a primary WCF service?
The standard way of doing this is by using WIF with Microsoft's STS viz. Active Directory Federation Services v2.0 (ADFS).
There are a number of custom STS available e.g. Identity Server. This use a SQL DB as an attribute store. It's open source so could be adapted to whatever you require.
You can create your own custom attribute store: AD FS 2.0 Attribute Store Overview.
TechNet WIF / WCF: WIF and WCF.