I am using Open ID Connect (OIDC) to authenticate users into a web application and Okta org as an authorization server, where issuer is https://{subdomain}.okta.com.
And I am facing an issue which has already been registered as a bug and an Merge Request has already been registered on Okta-Oidc-js
HERE and HERE
This is a Node Library and the same library is in Golang as well and it does not have any issue's as such.
I have an application that going to be on Production in upcoming months and I don't know, when these MR's will get merged. What are the alternative ways to tackle this case?
Any suggestions would be appreciated.
Related
I'm looking to implement a gRPC service in .net core, the client would also be in .net core running as a service. The client service will only be installed by my team and the installer package will not be available publicly (and wouldn't be much use to anyone else). I would like advice on whether call credentials (JWT bearer tokens) and/or channel credentials (client certs) would improve security, and if so how/why.
I know this question isn't about specific code, however it may well help determine how the service is coded, so if this is posted in the wrong place then please advise on the correct place.
The purpose of this service is only to receive information from clients, none of which is sensitive, mostly just health info of the endpoint. The server service will be using TLS with a LetsEncrypt certificate. As the connection will be encrypted the identity of the server should be ensured and no nefarious players should have visibility of the data transferred. The clients will only be sending data (to identify the endpoint) that contains a serial number generated by my team at the time of install, and if this somehow got duplicated the wrong data wouldn't really cause any issues or data breaches only that there would be some remediation work by a team member to correct the issue.
Because of these reasons, I can't see what benefit call or channel credentials would offer, especially channel credentials with the added overhead of maintaining client certificates for each client.
Can you offer any thoughts on this, or if there are any other security concerns I should consider?
Also, with this sort of set up, is there anyway a 3rd party could access the server service if they don't have the proto files?
Thanks
I am developing a Node.js web app that uses Keycloak as authentication service. I already have two clients: public client for the web app (app-web) and bearer-only for the API (app-api). On the app-api I use resources, scopes, policies, and permissions to control the access.
To check the permissions, I am using the keycloak.enforcer(...) from the keycloak-connect module (npm keycloak-connect). When I try to check permission, the server always returns 403 Access denied response. But if I change app-api from bearer-only to confidential (keeping the same keycloak.json configuration file), the client works fine and is capable to check permissions.
This problem seems to be because a bearer-only client cannot obtain tokens from the server (keycloak similar question).
My question is: Is this a normal behavior of Keycloak? Why allow the Authorization tab in bearer-only clients if you cannot use the keycloak.enforcer? Am I missing some configuration?
Thanks for your help.
I also stumbled over this bearer-only thing a few days ago. And I also found it confusing that you can enable fine grained authorization, it took me some time to find that out too. Well, a bearer-only client, as the name already states, authenticates clients only by their bearer token.
I posted this question to the Keycloak mailing list too and the answer was:
It is the expected behavior but also a UI issue. You should not have access to that tab when the client is bearer-only.
They even create an issue KEYCLOAK-10808
This is similar to what #Valentin mention.
If you want to read all the thread: Mailing list response
(Tom Vaga asked a similar question here but Luke's response didn't quite address what I'd hoped to accomplish... I'd comment there but don't have the points yet :-) Thanks! )
I've got a Slim server working well to register and authenticate users for our API, using JWT, allowing only 'authenticated' users to access certain api endpoints.
I'm now trying to setup a SocketCluster for various realtime messaging parts of the app, and I would like to restrict subscriptions to only authenticated users. I may be missing a part of the concept, but is it not possible to use the token-cookie set successfully by Slim to also authenticate to SocketCluster? (ideally using the built-in authentication process, and without having to call-back to the slim-api?) They're on different servers as sub-domains... Would I have to insert the same secret into the SocketCluster configuration somewhere?
Thank you!
I am attempting to complete our integration with the Xero Partner API and am having some trouble with the Oauth process for obtaining tokens. We didn't have a problem with this using the public API but with the partner API that requires a client certificate, we keep getting an error "Can't connect to api-partner.network.xero.com:443".
We handle this oauth part from an authorization server, an Apache/Linux Server running perl code.
The rest of the calls are made from our main IIS server and we have no problems there.
What's puzzling is that according to the docs we don't even need the client certificate for the oauth calls.
http://developer.xero.com/documentation/getting-started/partner-applications/
However, at first we received error messages saying otherwise ("certificate verify failed") and we guessed that we do need the client certificate even at this stage. So we tried to install and use all certificate variations but still we cant connect.
Can anyone confirm that oauth calls require the client certificate and if so elaborate on what is needed in order to complete the Oauth step on an apache/linux server? What certificates are needed and how do we install them?
Thank you very much,
Guy.
Xero provides 3 types of application integration approaches that all use the OAuth (v1.0a) protocol to authenticate 3rd party applications.
Using the 'private' and 'partner' applications will make use of a cert while using the public application will not. Private applications are appropriate when you just wish to establish an integration point between your application and your Xero data. Public applications are appropriate when you wish to obtain access to your user's Xero data and require them to authorise this ( for 30 minutes ). Partner applications are an evolution of the Public applications and require Xero approval but operate similarly except that the user doesn't need to re-authenticate every 30 minutes to provide you with access to their data.
You should first ensure you are familiar with the Xero docs and particularly the Getting Started Guide .
With regards to perl there is a Net::Xero module on CPAN. I used this to inform my own CCP:Xero module which is available on Github at https://github.com/pscott-au/CCP-Xero
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
Basically, I'll have several clients consuming the API I'm developing:
- clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization"
- clients that I do not trust and that will connect using the Authorization Code flow
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application:
- he will have a direct access to its resources (case of the trusted application)
- he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
UPDATE
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
This project is not functional yet.
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api