I have found this great article that describes the ability to run API authentication with Istio Ingress Gateway and Oauth2-proxy: https://medium.com/#senthilrch/api-authentication-using-istio-ingress-gateway-oauth2-proxy-and-keycloak-a980c996c259
What I miss is to have the ability to create an internal token based on the incoming one for internal authorization (mapping of external roles to internal ones for RBAC support).
I will be glad for any suggestions!
Thank you!
Related
I'm trying to authenticate Azure App Configuration Service with access keys in APIM policies.
Can someone help how we can authenticate Azure App Configuration Service using Access keys in APIM policies.
You will need to implement the HMAC authentication as explained in the document below. There are code samples in a variety of languages in that doc too.
https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-hmac
I have in my server a Orion Context Broker (https://github.com/telefonicaid/fiware-orion) but i need to add some restrictions to my "consumers" when they use the endpoint(s) e.g(http://myhost:1026/v2/entities). Is possible configure the local/personal Broker with token like https://fiware-orion.readthedocs.io/en/1.11.0/quick_start_guide/index.html#orion-context-broker-quick-start-guide ?
Thank you very much.
The Orion Context Broker does not offer roles and permissions directly.
To add roles and permissions to restrict an endpoint, you will need to use a PEP Proxy - which security mechanism you use to do this is up to you.
There are several OAuth2-based security components found within the FIWARE Catalogue, alternatively you could another open source PEP Proxy such as steelskin which integrates nicely with either Keyrock or Keystone
I am trying to achieve the following the scenario but ending up as 403 response.
Client -> sends Cert A -> API Management -> Forwards Cert A -> Backend API (Azure Api App) -> Authenticates the certificate.
Is there is a way to configure API management to forward the incoming certificate to the backend API?
I tried various transformation policies on the incoming request but none of the options worked.
Please suggest.
This is technically not possible since client certificate's private key is never transmitted over wire. So there is no way APIM could use it to authenticate to backend. Even more so since there is no affinity between client connection and backend connection in APIM. Your best option is to send client certificate information in a custom header. You can use ser-header policy to set it at APIM level along with policy expressions to extract client certificate information from request.
With the new authentication-certificate policy (learn.microsoft.com) you may return the certificate as a byte[] coming from a separate send-request response-variable and use it as follows:
<authentication-certificate body="#(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
You could store the password as a secret named value or even get it from the KeyVault by using this snippet:
github.com/Azure/api-management-policy-snippets
To borrow some thought on using APIm to secure webapi, are the scenarios below supported?
certificate
The intention is to secure the azure hosted webapi, my thought now is to have APIm to validate incoming calling client and check the thumbprint to be one of the certificate I configured in APIm, upon authenticated then APIm to forward the call to my webapi however using another certificate (where I am to hardcode the certificate in my webapi logic check)
IP restriction
The intention is to limit the caller IP in APIm, furthermore I can somehow configure webapi to accept the call only from APIm nowhere else (lock down)
Yes, all the scenarios are possible. Refer below links
Secure Apis with client certificate
Secure your backend with mutual certificates
Restrict caller IPs policy
I'm using the API Gateway service to manage my spring boot resources. I want to point the gateway to my sub-domain. I tried adding it to alias in Route 53 but it does not work. There's an option in the API Gateway console which asks for my domain and some credentials. I don't know if a sub-domain can work and what should i add to certificate input. Probably it is asking for an SSL certificate and I am ready to purchase one, but before i do that, i want to be sure that it accepts sub-domains.
Yes, API Gateway supports subdomains. You can try with self-signed certificate and see the options.
See the official documentation on using Custom Domain Names in API Gateway.