In the global Wirecloud instance i have a widget which uses the KeystoneAPI mentioned here:
https://wirecloud.readthedocs.io/en/stable/development/object_storage_api/
So far so good.
However now i want to move to KeyRock for authentication. I still want to pass tokens from my wirecloud widget to backend services like the Wilma PEP proxy which is not connected to KeyRock as well. But the KeystoneAPI seems to be tied to Keystone (hence the name probably).
Is there a KeyRockAPI accessible from Wirecloud widgets? How can a widget obtain the KeyRock OAuth2 token the user logged in with? I cannot find any documentation on this.
WireCloud doesn't allow widgets and operators to read the OAuth2 token assigned to the user, but it provide support for injecting the token into HTTP requests if they go through the WireCloud's proxy. This injection is controlled by several HTTP headers, this is an example:
MashupPlatform.http.makeRequest(url, {
requestHeaders: {
"X-FI-WARE-OAuth-Token": "true",
"X-FI-WARE-OAuth-Header-Name": "X-Auth-Token"
},
...
});
You can find more info about how to use this feature in the FIWARE Academy course, more specifically in the 3.1.8. Accessing third-party services using IdM tokens section (take into account that this document is the same you pointed in your comments, but in html format ;) ).
Answers to the others questions formulated as comments:
Installed docker containers of KeyRock and Wirecloud, tried out the objectstorage demo widget, which failed to retrieve an authentication token. Traced the problem to %idm_token% not being filled in by the python code, presumably in plugins.py because it looks for an AUTHENTICATION_BACKEND of 'fiware' whereas the documentation states to include 'wirecloud.fiware.social_auth_backend.FIWAREOAuth2'.
I recommend you to create a new question in StackOverflow to tackle this problem. Please, provide more details on your configuration.
So my authentication token from wirecloud will be bound to that application? If so, the token is useless to my own application unless i can get a new token for it. Am i wrong here?
Yeah, the Mashup portal is the application number 17 in the Account portal and the OAuth2 token obtained by WireCloud is bound to that application. I cannot foresee if that token is useful for your application or not. This token can be used for authenticating users, but the IdM limits the returned information (e.g. roles) depending on the application bounded to the token. So, evidently, this integration is not perfect, but we are missing some integration features from the IdM to make it more useful.
Related
I have a google cloud function in Java.
Client will invoke the function using HTTP trigger URL.
But that is not secure. I have gone through some docs saying that you should pass a token or client ID and then verify it in server side.
Can anyone explain that in detail and please provide a code example if any.
My doubt is to authenticate the client while they invoke the function using Http trigger
This page explains quite well all the capacity that you have to authenticate a requester on Cloud Functions.
If you have users, the best way is to use Firebase Auth (our Google Cloud Identity Platform which is simply a more advance solution than Firebase Auth with more features)
However, you need to grant all you user with cloudfunction.invoker role, to allow them to invoke the Cloud Functions. It could be difficult. You can also perform the check on your side, but in this case you remove the security (filter) layer of google and you have to check all the traffic by yourselves (not really safe, in term of billing and in case of attack).
The latest solution, API keys, is not recommended, especially for the users. But for machine to machine it's sometime the only solution. However, there isn't out of the box solution and for this I wrote an article, that explains how to create a Cloud Endpoint (or now a Cloud API Gateway which is the serverless solution of Cloud Endpoint with ESPv2) to accept API Keys.
With this latest solution, if you change your security definition, you can also accept OAuth2 tokens coming from Firebase Auth (or Cloud Identity Platform), but this time, you don't need to grant all the users on your Cloud Functions IAM role. The token only need to be valid and it's the Cloud Endpoint service account which is used to perform the call (and thus which needs to be authorized on the Cloud Functions).
In addition, because you can accept OAuth2 token, you can also accept non Google token, and thus have your users in any IDP OAuth2 compliant (KeyCloak, Okta,...)
You could use external OAuth server like keycloack (https://github.com/keycloak/keycloak), or use somethging like Json Web Tokens -- https://jwt.io/ -- available for various languages, siutable for microservices.
I have used lifeary service builder to build my services. some of my services require that the user is authenticated before he can use them.
how can i generate an auth token and send it in the header or in the URL?
I have tried username#host.com:password#http://localhost:8080/PortletName-portlet/api/jsonws/?serviceClassName=com.service.NameServiceUtil&serviceMethodName=getMyNames&serviceParameters=[userid]&userid=1
and it did not work!
I have made sure i have added the below line in my portal-ext.properties and restarted the server.
json.service.auth.token.enabled=true
What more should i do to be able to pass Auth Token? is there a better method that i can use?
You actually want to use AuthVerifier. This is the best way how to access the Liferay API and be authenticated. It similar to the autologin concept.
Have a look at https://dev.liferay.com/es/discover/deployment/-/knowledge_base/7-0/authentication-verifiers and check out the PortalSessionAuthVerifier class in the source code.
The concept is quite simple. Read the request object and determine who the user is. Perform your custom authentication and return the auth result with the user identification.
What I understand is Enterprise API from Box works only with server-server JWT auth and not like OAuth2 based authentication.
Box integrations which haveOAuth2 based authentication support only Content API and not the Enterprise API.
Is there way to have OAuth & Ebterprise API at the same time? (I essentially want to manage users & groups any third party enterprise)
Any thoughts/pointers? Thanks in advance!
What I understand is Enterprise API from Box works only with server-server JWT auth and not like OAuth2 based authentication.
This is not correct, though I can see how you could arrive at that understanding. You can work with the Box Enterprise API using traditional 3-Legged OAuth. In fact, for many years 3-Legged OAuth was the only way to work with the Box API.
In order for a 3-Legged OAuth access token to make Enterprise API calls:
The appropriate Enterprise scopes must be selected in the app configuration.
The token must have been issued for a user with enterprise admin/co-admin privileges.
The relationship between JWT auth and the Enterprise API is one of convenience. Enterprise API apps are often non-interactive server-side scripts and/or scaled out to multiple processes. In these scenarios JWT is much easier to work with than 3-Legged OAuth.
As part of the FINISH accelerator we are using FIWARE KeyRock and Wirecloud. Currently we are using the Fiware labs global instance to investigate.
We want to restrict our system so that users can only view data that belongs to the organisations of which they are a member.
The following flow seems logical, but correct me if i am wrong:
A user logs into Wirecloud and is directed through a KeyRock login screen.
A Wirecloud Widget gets an access token from Wirecloud environment. The access token was created when the user logged in.
The Wirecloud widget looks up the organisations and roles that a user is member of. Based on this it adds organisation names to its query.
The Wirecloud widget queries a webservice (Orion or otherwise) using the query it just created.
We put the Wilma PEP proxy between the Wirecloud Widget and the webservice to validate that the user is a member of the organisations in the query.
PROBLEM:
We can query user information from KeyRock using the https://account.lab.fiware.org/user?access_token=XXXXXXXXXXX call. But that does not contain any information about the organisations that the user is a member of according to the KeyRock web interface. The organisations element is an empty array. We get a bunch of roles in the json response, but none of them is the "members" role that you assign to users from the "Manage your organization members" screen in KeyRock.
Some digging revealed that the Keystone instance running on Fiware labs contains the information (assuming that a Keystone project = KeyRock organisation). However the access token provided by KeyRock is somehow not valid on the Keystone API. The API we used was accessible here: http://cloud.lab.fiware.org:4730/v3/
Getting a new access token from the Keystone API is not what we want, because that would be a different access token than Wirecloud has obtained, which would require some kind of proxy to log in again and retrieve the organisation membership. That rather defeats the point of passing an access token.
This seems to be a bug in the KeyRock API on the fiware labs instance.
Or am i missing something here?
Or will this problem magically go away if we install keyrock on our own server?
Thanks for any help,
Robin
you have to follow the steps explained here but using the specific organization. Probably you have missed the "Authorize" step
I am new to setting up ping federate identity provide configuration and writing code to get token. I have got a ppt file which explain how web client connects to ping federate server and get token. and they mention to pass client_id as param but I have no idea what is client_id?
Does anyone have any idea?
client_id is your user identity. When you call writetoken() method, it has parameters to pass... hope this helps.
I will assume you are using OAuth2 or OpenIdConnect and calling PingFederate to get an Access Token.
First, here is a detailed explanation of what a client is RFC 6749 Client Registration and its role in this authentication protocol.
Second, once you understand this topic. You must configure Clients on Ping. For that you must follow their documentation Client Management.
Finally, You must point your web application to the OAuth2 endpoints passing the client_id and client_secret, with that depending on which OAuth2 flow you are using will get you closer to get an access token. You can find more information about that on Ping Documentation Site.
Hope this helped.