As of now, we have an authentication service using Spring Security OAuth2 which implements the following grant types: client_credentials and password.
To obtain a token, a client (potentially an HTML5 SPA client) would have to store the client_id and secret to obtain a bearer token with either the client_credentials or password grant type. For this case, it's not very safe as anyone the client_id and secret would live within the HTML5 apps source and anyone could obtain it.
Is there a different flow for this, other than client_credentials or password?
Generally speaking, for SPA s the recommended authorization protocol is OAth with Implicit grant.
You can read a bit more about how that is implemented in Azure Active Directory (it is free) here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant
and here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-implicit
Related
Oauth2 auth server from spring, does not supports the ROPC, how would I add/enable the ROPC
The default auth server is working as expected. now I need password grate type. I need to support legacy apps
We want to utilize an external IdP that provides authentication services with Banno. Is there an option to configure it as OIDC IdP and redirect users to authenticate with it?
looking through Banno authentication framework I only see references to pulling data from Banno assuming user was already authenticated. Cannot find any documentation to how to configure redirect-to-IdP for authentation
We don't have documentation specifically about that use case, but we do have docs about our support for OpenID Connect Discovery: https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/#openid-connect-discovery
We're aware of folks using Amazon Cognito, Kong, and Firebase with our OIDC Discovery endpoint.
Note that those services may not support Proof Key for Code Exchange (PKCE). If that's the case, then you'll have to have Banno Admin for your financial institution turn off the "Require PKCE" option in the External Application.
I would like to integrate Foundry with the central API gateway of our organisation.
Access of the gateway should be granted via OAuth2 via the "Third Party Applications" functionality of Foundry.
Now I am facing the problem, that our API Gateway only supports the Client Credential Flow in which no Authorization Token is used but only the Access Token. Is there a possibility to make Foundry follow the simplified flow w/o Auth token?
Foundry supports the OAuth2 Authorization Code grant which provides delegated access to Foundry resources and services.
Support for the OAuth2 Client Credentials grant, which allows service user access, is under limited release with a few customers. If it’s not available for you please reach out through your internal support channels. A general release is expected early this spring, I'll try and update here if that timeframe slips.
Is there an API in Ping Federate/ Ping One to validate user credentials - username and password?
Here is a scenario in which I would like to use it:
user logs in via SAML SSO to my web application
certain application feature requires that the user credentials are validated again (to sign-off some operation)
SAML SSO does not make it easy to re-validate user credentials without logging out from application, users passwords are obviously not stored in the application so the only way to validate credentials is to send them via some API to Ping to validate - however I was unable to find such API in Ping.
For example, OKTA (which offers similar services as Ping) does provide such API:
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
"username": "dade.murphy#example.com",
"password": "correcthorsebatterystaple"
}' "https://${yourOktaDomain}/api/v1/authn"
I am looking for something similar in Ping.
Yes - there are two options in PingFederate for this:
Authentication API - This enables clients to authenticate users via a REST API instead of having the adapters present login templates directly. More details here: https://docs.pingidentity.com/bundle/pingfederate-102/page/elz1592262150859.html
OAuth Resource owner password credentials grant type - If you're just looking to validate a username + password combination you could leverage PingFederate's support of OAuth ROPC grant type. It allows you to POST the credentials and get back an Access Token if it was successful. More details here: https://docs.pingidentity.com/bundle/pingfederate-102/page/lzn1564003025072.html
Karolbe, you may also wish to take a look at Adaptive Authentication feature provided by PingFederate which directly answers your second requirement as provided by you above, i.e. - certain application feature requires that the user credentials are validated again (to sign-off some operation). Here is the reference from PingIdentity website. Adaptive authentication and authorization allow you to evaluate contextual, behavioral and correlated data to make a more informed decision and gain a higher level of assurance about a user’s identity, which is what your requirement 2) is asking for. Typical use case could be, say a user tries to access a high valued application, or tries to login after a configured idle time, Adaptive authentication will force user to present authentication credentials again.
I am using pyzabbix module to use the Zabbix API, but is there any way to login the Zabbix API without giving the username and password in Python script?
Like any API token which serves the purpose.
There are no API tokens or similar access methods in Zabbix currently.
There is not, but you should use an environment variable (see environment variable in python) to store the password/token anyway, in order to avoid having it inside the code in cleartext. The environment is visible to the user only, and is usually initialized from a protected file (0600 permission in unix style), or a masked CI/CD variable.
I am using Zabbix 5.4.7
There is a section API tokens under:
Administration -> General -> API tokens