I'm trying to use Fiware PEPWilma and AuthZForce to ensure Security Level 2 on my service.
I'm struggling to have it set as I can't find a guide/reference material explaining how to configure them. Even their guides are lacking a lot of information.
The attribute I'm trying to understand now is path of config.azf={} inside pepwilma's config.js configuration file. What does this attribute expect to receive?
In the sample config.js file I've got the value is:
path: '/authzforce/domains/v10rvAGjEeaiEQJCrBEAAg/pdp'
But I don't know what is this path for and how to get my domain id.
Thank you in advance.
This path used to be the URL path to the AuthzForce domain (so a full URL would be something like http://localhost:8080/authzforce/domains/v10rvAGjEeaiEQJCrBEAAg/pdp) that is used for authorization decisions (based on the authorization policies in that domain).
In the latest PEP Proxy v5.4, this attribute no longer exists. The PEP used the path /authzforce-ce/domains/${domainId}, where domainId - as Alvaro mentioned in a comment - is filled automatically from the OAuth token expected in the incoming HTTP request and which has been validated in the previous authentication phase. Actually, the domainId in the token is linked to the applicationId (each application has a specific AuthzForce domainId).
Related
I have already a code to retrieve the objects in the bucket using oci-java-sdk and this is working as expected. I would like to retrieve the URL of the file which was uploaded to the bucket in object storage and when I use this URL, this should redirect to the actual location without asking any credentials.
I saw preauthenticated requests but again i need to create one more request. I dont want to send one more request and want to get URL in the existing GetObjectResponse.
Any suggestions>
Thanks,
js
The URL of an object is not returned from the API but can be built using information you know (See Update Below!). The pattern is:
https://{api_endpoint}/n/{namespace_name}/b/{bucket_name}/o/{object_name}
Accessing that URL will (generally, see below) require authentication. Our authentication mechanism is described at:
https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm
Authentication is NOT required if you configure the bucket as a Public Bucket.
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm?TocPath=Services%7CObject%20Storage%7C_____2#publicbuckets
As you mentioned, Pre-authenticated Requests (PARs) are an option. They are generally used in this situation, and they work well.
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm
Strictly speaking, it is also possible to use our Amazon S3 Compatible API...
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm
...and S3's presigned URLs to generate (without involving the API) a URL that will work without additional authentication.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
Update: A teammate pointed out that the OCI SDK for Java now includes a getEndpoint method that can be used to get the hostname needed when querying the Object Storage API. https://docs.cloud.oracle.com/en-us/iaas/tools/java/1.25.3/com/oracle/bmc/objectstorage/ObjectStorage.html#getEndpoint--
We have SAG Webmethods implementation being used as an API Gateway in our project. We do not have much expertise in WebMethods. Based on a document received from the team which was maintaining this gateway implementation we are trying to build a custom gateway solution using open source software.
There is a soap web service which is being accessed by clients using /soap URL but based on looking at the web service implementation with WebMethods, we can see that the soap web service end point is of the pattern /ws/**.
Any idea where can we check to find how the mapping is happening from incoming url /soap to actual soap webservice end point /ws/**? We checked under "Settings > URL Aliases" of Web Methods Integration Server but there is no url alias set for this mapping.
Could you please help provide some pointers on where such a configuration could be set up for this redirection?
Regards,
Jacob
if i understood the issue the right way, this configuration is done as a part of webMethods code only. you need to open the wM packages in SoftwareAG Designer and in the Service Development perspective of Designer ,Connect to the Integration Server with those packages and have a look at the contents. You need to find something called WSD. if you right click and say property you will see the Element Type as :Web Service Descriptor.Open the WSD and on the right side you can see properties window which can have properties like WSDL URL /Source URI. this is where this /ws/ Config is done. Any requests hitting this URL will be handled by the associated WSD defined.
There is also an option to add an alias here in
admin Console--->Settings-->WebService--->Create provider /Web Service
endpoint Alias
.
I have created a sample SAPUI5 application in online editor
Check this link to view my code
I am getting this below error -
> XMLHttpRequest cannot load
> http://services.odata.org/V2/Northwind/Northwind.svc/Products?$format=json.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource.
Can someone help me in solving this issue - I understand that it is CORS issue which can be solved by disabling the security in chrome.
However - I don't to disable the security feature of chrome. So, is there any other way (probably by passing some headers) to solve this issue.
Appreciate your help in advance.
P.S.: I have already looked in these links -
http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
http://scn.sap.com/community/gateway/blog/2014/09/23/solve-cors-with-gateway-and-chrome
add the northwind odata service as a destination under the DESTINATIONS tab of your hcp account. Then make an ajax call to the northwind services using relative path i.e. /destination/.....
Or make your own java application that works as proxy which allows source as and re-routes the payload to the correct destination.
basically destination is also a proxy supplied for out of the box usage by sap
If this is just for the purpose of testing, the following solution should be the easiest.
Use a proxy service which adds the needed headers, for example the following: https://github.com/Rob--W/cors-anywhere
Usage is really simple, just add the URL of the proxy service before your OData URL:
var uri = "https://cors-anywhere.herokuapp.com/https://services.odata.org/V2/Northwind/Northwind.svc/Products?$format=json";
I've set up a MediaWiki server on an Azure website with the PluggableAuth and OpenID Connect extensions. The latter uses the PHP OpenID Connect Basic Client library. I am an administrator in the Azure AD domain example.com, wherein I've created an application with App ID URI, sign-on URL and reply URL all set to https://wiki.azurewebsites.net/. When I navigate to the wiki, I observe the following behavior (cookie values omitted for now):
Client Request
GET https://wiki.azurewebsites.net/ HTTP/1.1
RP Request
GET https://login.windows.net/example.com/.well-known/openid-configuration
IP Response
(some response)
RP Response
HTTP/1.1 302 Moved Temporarily
Location: https://login.windows.net/{tenant_id}/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&nonce={nonce}&state={state}
Client Request
(follows redirect)
IP Response
HTTP/1.1 302 Found
Location: https://wiki.azurewebsites.net/?code={code}&state={state}&session_state={session_state}
Client Request
(follows redirect)
RP Request (also repeats #2 & #3)
POST https://login.windows.net/{tenant_id}/oauth2/token
grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}
IP Response
(As interpreted by MediaWiki; I don't have the full response logged at this time)
AADSTS50001: Resource identifier is not provided.
Note that if I change the OpenID PHP client to provide the 'resource' parameter in step 8, I get the following error response from AAD instead:
RP Request
POST https://login.windows.net/{tenant_id}/oauth2/token
grant_type=authorization_code&code={code}&redirect_uri=https%3A%2F%2Fwiki.azurewebsites.net%2F&resource=https%3A%2F%2Fwiki.azurewebsites.net%2F&client_id={client_id}&client_secret={client_secret}
IP Response
AADSTS90027: The client '{client_id}' and resource 'https://wiki.azurewebsites.net/' identify the same application.
(This has come up before.)
Update
I've made some progress based on #jricher's suggestions, but after working through several more errors I've hit one that I can't figure out. Once this is all done I'll submit pull requests to the affected libraries.
Here's what I've done:
I've added a second application to the example.com Azure AD domain, with the App ID URI set to mediawiki://wiki.azurewebsites.net/, as a dummy "resource". I also granted the https://wiki.azurewebsites.net/ application delegated access to this new application.
Passing in the dummy application's URI as the resource parameter in step #8, I'm now getting back the access, refresh, and ID tokens in #9!
The OpenID Connect library requires that the ID token be signed, but while Azure AD signs the access token it doesn't sign the ID token. It comes with the following properties: {"typ":"JWT","alg":"none"}. So I had to modify the library to allow the caller to specify that unsigned ID tokens are considered "verified". Grrr.
Okay, next it turns out that the claims can't be verified because the OpenID Provider URL I specified and the issuer URL returned in the token are different. (Seriously?!) So, the provider has to be specified as https://sts.windows.net/{tenant_id}/, and then that works.
Next, I found that I hadn't run the MediaWiki DB upgrade script for the OpenID Connect extension yet. Thankfully that was a quick fix.
After that, I am now left with (what I hope is) the final problem of trying to get the user info from AAD's OpenID Connect UserInfo endpoint. I'll give that its own section.
Can't get the user info [Updated]
This is where I am stuck now. After step #9, following one or two intermediate requests to get metadata and keys for verifying the token, the following occurs:
RP Request:
(Updated to use GET with Authorization: Bearer header, per MSDN and the spec.)
GET https://login.windows.net/{tenant_id}/openid/userinfo
Authorization: Bearer {access_token}
IP Response:
400 Bad Request
AADSTS50063: Credential parsing failed. AADSTS90010: JWT tokens cannot be used with the UserInfo endpoint.
(If I change #10 to be either a POST request, with access_token in the body, or a GET request with access_token in the query string, AAD returns the error: AADSTS70000: Authentication failed. UserInfo token is not valid. The same occurs if I use the value of the id_token in place of the access_token value that I received.)
Help?
Update
I'm still hoping someone can shed light on the final issue (the UserInfo endpoint not accepting the bearer token), but I may split that out into a separate question. In the meantime, I'm adding some workarounds to the libraries (PRs coming soon) so that the claims which are already being returned in the bearer token can be used instead of making the call to the UserInfo endpoint. Many thanks to everyone who's helped out with this.
There's also a nagging part of me that wonders if the whole thing would not have been simpler with the OpenID Connect Basic Profile. I assume there's a reason why that was not implemented by the MediaWiki extension.
Update 2
I just came across a new post from Vittorio Bertocci that includes this helpful hint:
...in this request the application is asking for a token for itself! In Azure AD this is possible only if the requested token is an id_token...
This suggests that just changing the token request type in step 8 from authorization_code to id_token could remove the need for the non-standard resource parameter and also make the ugly second AAD application unnecessary. Still a hack, but it feels like much less of one.
Justin is right. For authorization code grant flow, your must specify the resource parameter in either the authorization request or the token request.
Use &resource=https%3A%2F%2Fgraph.windows.net%2F to get an access token for the Azure AD Graph API.
Use &resource=https%3A%2F%2Fmanagement.core.windows.net%2F to get a token for the Azure Service Management APIs.
...
Hope this helps
Microsoft's implementation of OpenID Connect (and OAuth2) has a known bug where it requires the resource parameter to be sent by the client. This is an MS-specific parameter and requiring it unfortunately breaks compatibility with pretty much every major OAuth2 and OpenID Connect library out there. I know that MS is aware of the issue (I've been attempting to do interoperability testing with their team for quite a while now), but I don't know of any plans to fix the problem.
So in the mean time, your only real path is to hack your client software so that it sends a resource parameter that the AS will accept. It looks like you managed to make it send the parameter, but didn't send a value that it liked.
I had issues getting this running on Azure, even though I got something working locally. Since I was trying to setup a private wiki anyway, I ended up enabling Azure AD protection for the whole site by turning on:
All Settings -> Features -> Authentication / Authorization
From within the website in https://portal.azure.com
This made it so you had to authenticate to Azure-AD before you saw any page of the site. Once you were authenticated a bunch of HTTP Headers are set for the application with your username, including REMOTE_USER. As a result I used the following plugin to automatically log the already authenticated user into Azure:
https://www.mediawiki.org/wiki/Extension:Auth_remoteuser
I have a Tomcat 5.5 server that hosts some HTML pages. I want to control the access to these pages. The incoming users' HTTP requests are supposed to have special authentication values.
What I need is to write a function that returns true/false based on the authentication value for each user request. Based on this true/false value, the user should be granted the access or not.
Any idea about how to do that?
Thanks
A pragmatic solution would be to create a ServletFilter and map it to all resources (/*). Reading your question, I guess your authentication method will not be based on sessions (JSESSIONID cookie), but on tokens part of the URL itself.
You have to write your own Authenticator in Tomcat.
Edit:
Subclass the AuthencatorBase class and implement the the abstract method authenticate
Place your jar in the lib folder of tomcat, not your webapp
specify in your web.xml which resources your want to protect.
Declare your authenticator in your context.xml => this technically a Valve
deploy your application and be happy!
With Tomcat, you'll need to use a Realm to protect your pages.
http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html