access token and client id/api key relationship - apigee

I generated an access token using client id(apikey)_1 and client secret_1.
Now i am using that access token generated above with a GET resource call and pass api key2.
And its working.
.
But i want restrict this that only the api key1 which generated the access token can use that to access a resource.
Note - apikey1 and apikey2 both are authorized to access the resource. We want to restrict use of anyone else access token however.
Please let me know how to implement it.

When you validate the access_token Apigee will populate a variable for clientid (check the variables in the trace tool on the policy you're using validate the token). It should also populate the product that is associated with the key.
While you can build policies around a client_id, it's better to use products. Products allow you to restrict access by resource and are tied to the client_id that generates the access_token.
See the product documentation on Apigee at http://apigee.com/docs/developer-services/content/what-api-product for more info on how to configure and use them.

Related

Need help setting up Postman Collection Authorization with API Token and Credentials

I am learning to connect to one of our 3rd party's API, and the first step in doing so is to first get an access token to use for additional requests.
To get that access token, I send a POST request that includes an API key in the header, along with the username and password in the body (as JSON). And that successfully returns a token.
But how do I set up that up in a collection? In postman I have options of API token, Basic Auth, Oath2, etc. But I do not see how you set up and include both the API key and user/password.
I've tried different scenario's of just the API Key and Oath2 with credentials, but unsure how you set it up to include both.

How do you Integrate user data access control with oauth2.0 API's?

I am trying to figure out how OAuth2.0 (or something else entirely) can be used to handle a situation where a user who is calling a backend api, can only retrieve data relevant to that user.
For example:
Lets say I have a bank application, and the customer account information is located at "bank.com/account/{customerId}". How do I restrict access to this, so that other customers cannot see each-others bank account information? As anyone with an access token could get anyone's account info and Roles can't solve this.
I have come up with a potential solution to this problem using Firebase JWTs which is to access the header of the incoming request and compare the User ID in the body of the token to that of the data being accessed.
My gut tells me I am missing the bigger picture, as this problem must be a common phenomena, and I could not find the answer elsewhere.
My Environment is a Spring Boot backend utilizing the Oauth2.0 resource server pointing to the firebase project. Backend is connected to a Postgres database. Frontend is an Angular Application.
To ensure users can access only their own resources, you must write it in your Spring Boot application. OAuth2 only provides you an access token which you can use to find out who is calling you and what scopes he has granted.
But the security logic is up to you to implement. If you have a userId in URLs, you should check that it matches the userId from access token. If user data is stored in a database, you will probably need to add conditions to your SQL queries such as WHERE user_id = :userId.
You can also use scopes from an access token to grant only partial access to user's resources. It's useful if another application can access user's resources on his behalf. Such as reading person's name and email when logging in somewhere using Google/Facebook/Github.

How to display profile info of the user that called certain api in wso2 apim log?

I am trying to configure gateway access log of wso2 apim (4.0.0) so that it should contain profile info (for ex: organization, email) of the user that called certain api along with the owner of that api in a log file. I followed the answer to this similar question
The structure that I would like to have is:
username | user_organization | invoked_api_name | api_owner | api_url | request | response
Any help is welcome!
By using the following properties, we can extract the API Publisher, Username, and Tenant Domain from the Message Context in the custom Handler.
api.ut.apiPublisher: API Publisher
api.ut.userId: Username
Perform the following enhancements to the handleRequestOutFlow(..) method in the Custom Handler to extract the mentioned data
public boolean handleRequestOutFlow(..) {
...
String username = (String) messageContext.getProperty("api.ut.userId");
String apiCreator = (String) messageContext.getProperty("api.ut.apiPublisher");
String apiContext = (String) messageContext.getProperty("api.ut.context");
String tenantDomain = MultitenantUtils.getTenantDomainFromRequestURL(apiContext);
if (tenantDomain == null) {
tenantDomain = org.wso2.carbon.utils.multitenancy.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
}
...
}
Update
If you want to log the organization of a User via the custom Handler, then I can think of two options to achieve the requirement.
Option 01: Configure OpenID Scope
This option is applicable if you are having only a handful of applications that are needed for this function.
Configure an additional OpenID scope mapping to the organization claim via the Carbon Management console. And make the organization claim a mandatory claim at each Service Provider to generate the JWT Access Token including the organization claim.
When you are trying to generate the Token, you have to pass the OpenID scope that we have created for the organization, so that the Service Provider will evaluate and include the claim in the Token.
Once the token arrives at the Gateway via the Headers, capture the token and extract the claim from it. Or else, configure the Gateway node to generate the X-JWT-Assertion token and capture that token and extract the claim.
Option 02: Customize the Handler to retrieve claims
We can enhance the Handler implementation to extract the Username from the JWT Access Token and then invoke a set of Key Manager endpoints with the required properties to retrieve the User claims. You can check the Key Manager connector implementation to find the relative endpoints to retrieve the User claims.
Hope this briefing helps you to choose a path. In addition, I have added few enhancements to the custom handler implementation focusing on the 2nd option.

LinkedIn V2 Profile API not properly returning email

I am attempting to use the LinkedIn V2 Profile API to aid in signups for my website.
I have properly implemented the "Sign in with LinkedIn" button on my website, set up the OAuth 2.0 callback, and my server properly swaps the OAuth 2.0 Access Code for the user's Access Token.
To do this, I am using the Python linkedin_v2 library linked here.
I am then attempting to grab the user's profile, and obtain their first name, last name, and email, to store in my database as a method of signup. I have confirmed that my application requests r_emailaddress, r_liteprofile, and r_member_social accesses.
To obtain their profile, I have attempted the following methods:
Using the Python Library linked above to create an application with the users access token and request the profile as follows:
application = linkedin.LinkedInApplication(token=accessToken)
profile = application.get_profile()
Unfortunately, this method only returns the user's first name, last name, and id, even when I include selectors=['email-address'] as a parameter to the get_profile() function, as specified by the library documentation.
Sending a GET request using the Python requests library https://api.linkedin.com/v2/people/(id:{person ID}) with headers that include Authentication: Bearer {user access token}.
Unfortunately, this method results in a 403 (forbidden) error.
I am curious of the following things:
Why do I obtain a 403 when querying the Profile API using the request library, when the same access token works to query the API through the Python linkedin_v2 library?
Does anyone know of how to use the python_linkedin_v2 library to obtain an email address with the profile?
Does anyone know of a better library to use in order to accomplish my goal of obtaining profile information regarding users whom are logging into my product using linkedin?
Do I need any additional permissions in order to access my users' emails from LinkedIn?
Thank you so much for your help, and I look forward to discussing potential solutions with all of you.
-Rob

Can we get the scopes belongs to specific access token?

After getting an access token from LinkedIn, we will save it into safe place, but later we need to know which scopes are included in the specific token.
Google provided token info API and Azure always return scopes with access token.
Now the question to LinkedIn is how can we get it?

Resources