I have successfully set up both jhipster microservice app and gateway app.
Both are successfully talking to each other.
Now I am building a separate app (mobile app - nativescript) , and am trying to make it talk to
How should I go about it? What all things I need to look its configuration ?
Pls suggest
First, your mobile app must register through the gateway /api/register endpoint.
Second, it must retrieve it's token (if you use JWT) through the gateway /api/authenticate endpoint.
Last, it can then consume the microservice /api/* by adding Authorization to the HTTP request header :
Authorization: Bearer tokenRetrieved
Related
Currently doing some research to setup an (azure) api gateway with oauth (jwt token) security.
an external partner/app sends a request to an api endpoint published on the gateway including a valid JWT-token in the header that gets validated by the gateway against AzureAD for example. When validated the request is routed to the backend service. No problems here.
My question is, what is best practice for the external app to obtain that JWT-token (to use for the api call) ?
Obviously, It could send a request to AzureAD with a clientid+secret to obtain a valid JWT token. But to do so it has to call my internal AzureAD directly ? Is this the way to do it ?
or should I expose a 'get-jwt-token' api on my api gateway and route that request to AD ? How should I secure that API ? with basic auth ?
or am I missing something, and is there a much better best/proven practice ?
HOSTING BEST PRACTICE
A reverse proxy or API gateway is placed in front of both APIs and the Authorization Server (AS). This ensures that an attacker who somehow gains access to the back end entry point cannot access data sources.
OAUTH REQUESTS TO GET TOKENS
OAuth requests are typically proxied straight through the reverse proxy / API gateway to the AS with no extra logic. All credentials, auditing of login attempts etc remain in the AS.
MANAGED SERVICES
If using Azure AD as a cloud managed AS, this is a special case: the system is already hardened for internet clients, so most companies don't add their own proxying - though it is possible to do so.
FURTHER INFO
The first of these covers the infra setup and the second gives you an idea of extensibility options once a reverse proxy / gateway is in place.
IAM Primer
API Gateway Guides
I have a on-premise API that use OAuth, so I use the "Authorization:Bearer ..." header when calling it from on-prem. Now I want to call this API from external using Azure Application Proxy with authentication. I know how to acquire a Bearer Token to authenticate against the Application Proxy.
The problem is that in the same HTTP Call to the on-prem API from external, I need to have 2 different "Authorization:Bearer ..." headers, one for the Application Proxy and one for the on-prem API.
I cannot just have 2 Authorization headers, right? So how do I call my on-prem API from external?
Edit : I've never found the real solution so I built an "On-Premise Proxy" that swap Authorization:Bearer after the Azure App Proxy. Here's how it works :
The outside app inserts 2 headers with the call to Azure App Proxy (AAP). First is Authorization:Bearer with the token required by AAP. The second is a dummy header "AuthorizationOnPrem" with the token that is required by the app behind the Azure Proxy (on-prem).
The Azure Proxy redirect the call to my custom "On-Premise Proxy".
This On-Prem Proxy copy the token from AuthorizationOnPrem to Authorization.
Then the On-Prem Proxy call the real on-prem app with the same data that it got called but with the right token.
I know it's quite patched but it worked for me with the on-prem app I needed. And it was surprisingly easy to do. Might not scale well though.
I've set up my new gateway and a microservice for testing purpose.
The microservice has a single entity with only one field.
The gateway recognize the microservice in gateway Tab of the administration panel over the web interface, but in the URL i see /services/test/** .
If i try to use the swagger integrated in the interface the request is generated with the same url.
And i'm getting always error 401.
I didn't find something useful in other questions.
I just want to know how to remove that /services in the URL because the test miscroservice is mapped like : localhost:8080/test/api/tests
I'm using jHipster 6.0.1
I'm using JWT Auth
Everything is build with Maven.
I have a web app configured in my Azure AD.
On a machine, i have installed a connector and configured an application proxy with that connector.
I am now trying to connect from an Android mobile application to the web app through the application proxy.
If I use a WebView inside my app, I can load the User access URL, enter my credentials and I receive a cookie for use by following connections.
I need to be able to use other HTTP clients that do not have the possibility to show UI.
I was wondering if it was possible to somehow request access and refresh tokens, and add those to future requests. or if possible convert them to a cookie in some manner and add that in a header.
Your client app can simply use MSAL (or ADAL, or another OpenID Connect client library) to sign the user in and an access token for the App Proxy app. Then you can include that token in the Authorization header in requests to the endpoint from App Proxy. App Proxy will recognize it, validate it, and (if everything checks out) proxy the call down to the App Proxy connector, where the rest of the process happens as normal.
Here are the relevant docs: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-native-client-application
I have a NodeJS API on Amazon EB and an API on API Gateway.
API Gateway is configure as a proxy to EB.
I can call my API without problem, it's working but I don't know how to manage security.
Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary.
Before using API Gateway I was using JWT but now what shall I do on my Node app? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? Or something else?
The recommended approach to restricting back end access to only API Gateway is to use client side certificates. See documentation here
Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation.
An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. This is generally considered less secure, since its easier for an attacker to obtain your secret value. At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text.