I'm looking to use Azure API Management to provide a centralized API for some external, authenticated APIs (Twitter, etc.), utilizing application-only authentication. I want to provide specific tweets, etc. to a dashboard-like mobile app without users needing to authenticate with their own account for each service.
I haven't been able to find any documentation or examples on doing this so far. Policies look promising, but I haven't been able to prove them out yet. Or possibly creating my own API App for each external service (to handle the authentication properly) and then managing that API via API Management.
Anyone have thoughts/ideas on better ways of accomplishing this? Thanks.
Thanks to #DarrelMiller for keeping me on the correct path
The solution ended up being just needing to pass the correct bearer token as a header, accomplished with Set-Header in the inbound policy of the operation. Twitter has non-trivial instructions on how to obtain the bearer token for their service.
Example:
<inbound>
<set-header name="Authorization" exists-action="override">
<value>Bearer xxxxxxxxxxxxxxxxxxxxx</value>
</set-header>
<base />
</inbound>
Related
We have an existing API that is secured by an initial username & password call to xxxx.com/api/vi/auth/token that returns a bearer token to be included in all future calls to the API. This API is live with some trusted apps.
We now have a requirement to put this API behind Azure API Management (APIM) for a new partner and have set that up to use OAuth2 with AD.
Ideally when APIM calls our backend API we need it to go through the existing API auth flow to get the existing API token and include that with any calls.
There seems to be some limited 'Authorization credentials' that can be set in Azure but I cant find any help on how to set/use them.
It can be done in a number of ways, but most of them would involve writing custom policy. Most simply something like below:
<send-request mode="new" response-variable-name="token" timeout="3">
<set-url>xxxx.com/api/vi/auth/token</set-url>
<set-method>POST</set-method>
<set-header name="Authorization" exists-action="override">
<value>Basic dXNlcm5hbWU6cGFzc3dvcmQ=</value>
</set-header>
</send-request>
<set-header name="Authorization" exists-action="override">
<value>#("Bearer " + ((IResponse)context.Variables["token"]).Body.As<string>())</value>
</set-header>
send-request sends request with basic auth header (substitute for your value), and will store response in token variable.
set-header gets body from token response, parses it as a string and puts it into Authorization header for request to backend.
A few improvements that can be done here:
Store your basic credentials in named value for security.
Cache token so that you don't need to fetch it for every request, possibly cache based on token expiration
I'm new to APIM and I have created an APIM instance and an API (called Ratings). I have pointed to an Azure function that has a couple of endpoints that work fine.
I need to add two other operations that point to another endpoint like https:///api/GetUser/?userid={_userid}.
I'm a bit confused as to how to take my https://larrys.azure-api.net//??????? and then add the call the the https address.
Any pointers would be appreciated.
Thanks|
L
You can use set-backend-service policy at the operation level and override the API level behavior.
Example: <set-backend-service base-url="base URL of the backend service" />
What is the correct way to hit an internal Foundry API from a Code Repository using, for example, a Python transform?
This is possible but somewhat discouraged because of the security impacts. Specifically the token that is used to call the API. Historically, Foundry jobs were run with the building user's complete token. This allows making any API call the user could make, but could be abused by a nefarious actor. Therefore most build today use a project-scoped token which can only read and write datasets, and not make API calls.
Thus you must either un-project-scope the repository so that it uses user tokens, which can be done through the Jemma API, or by supplying a hard-coded token, which can be done through a secured dataset with an appropriate marking, but be aware anyone who can read this dataset could steal the token.
A product support solution called logic flows is coming to make this process smoother.
Once you have a token making the API calls is similar to any other API. Here's an example in python, there's more information in the documentation.
URL = f"https://foundry.url/stemma/api/repos/{repo}/checks"
headers = {
"Authorization": "Bearer " + token
}
req = requests.get(URL, headers=headers)
if req.status_code > 299:
continue
req_json = req.json()
Currently the functionality for accessing Foundry APIs from within a Code Repository is not by default supported.
Because of the mentioned Foundry limitations and project scoped tokens, we create dedicated Service Accounts for automations, create a bearer token for the service account and store it in a dataset which we secure with a Marking. In the transform where we use the token to make api calls, we stop_propagating the Marking to downstream transforms.
This is, unfortunately, rather cumbersome and we are looking here at Palantir's product development team for a better solution.
I am building a basic app using node.js and mysql and just getting a hang of it, I would like to secure the api,like only allow certain people to access the data, maybe by passing a certain token each time a user requests for some information, I tried searching for certain tutorials which used node.js and mysql database and security, I am confused as to which security measure to use, I even read about Json Web Tokens but din't find a proper tutorial for that.Please point me in the right direction.
EDIT
What I meant to say was, only authenticated users are allowed to get access to data in the api, when a random visitor tries to access a URL he shouldnt be alowed to without proper authentication,what I am mostly looking for now is when a user is authenticated the user should be a sent a token of some sort so then gets access to private data,I don't exactly know how to go about this whole thing.Would be glad if you could clear it up for me.
I would look at implementing Oauth2 server in your app. I found this article useful:
http://blog.papersapp.com/oauth-server-in-node-js/
No sure what your exact question is about, but I think the below will help:
Node.js security tips: http://blog.risingstack.com/node-js-security-tips/
Secure Express apps with various HTTP headers: https://github.com/helmetjs/helmet
Go on an educational Web security adventure: https://github.com/toolness/security-adventure
Node.js Security presentation: http://www.slideshare.net/d0cent/nodejs-security?qid=c450507b-e491-4e9a-9b05-89d0c82ea10b&v=default&b=&from_search=6
Take a look at http://passportjs.org/ . Passport has support for alot of authentication methods, however, for your API, you will probably want to use OAuth (http://passportjs.org/docs/oauth2-api). OAuth is what most popular APIs use to authenticate consumers.
For simple projects, You can also use basic authentication, which is what you see when you see the browser prompt asking for username and password. This authentication information can be sent in the header when API consumers makes requests.
I've wrote a tiny script that retrieves publicly available data from some APIs, in JSON format. I'm now trying to get some protected data out from bit.ly (click stats from a given user) and so I obviously need to authenticate via OAuth.
I don't seem to understand the role of client id and secret, as well as the user API key. I also don't get how to grab an access token (maybe generated during OAuth authentication?) to authenticate my HTTP requests of protected data. Do you guys know any good (e)book, article or any other resources I should read to understand in detail these architectural nuances of authenticated data retrievals and HTTP requests?
It is exactly as you suspect. The access token is granted during the OAuth process, which is basically a three step rocket of getting
Temporary credentials for your application
An end user needs to authenticate those temporary credentials, which grants you a verifier token
And finally you exchange your temporary credentials and the user verification for an access token.
Depending on which language/framework you are using, there are often good libaries available to help you implement an OAuth client. Check out: http://oauth.net/code/
But you will be well served by a clear understanding of how the whole thing works. Twitter has a great tutorial about OAuth 1: https://dev.twitter.com/docs/auth/oauth.
Regarding OAuth 2. Check out http://hueniverse.com/2010/05/introducing-oauth-2-0/. Hueniverse is a good resource for all things OAuth by the way.