We are building a Symfony website where it will expose REST API for mobile app but with authentication token, which will autorize the Developer to consume the API, For this feature, I am using simple_preauth firewall authenticator, which works just fine. Firewall configuration :
firewalls:
app_authenticated:
pattern: ^/api
context: app
stateless: true
simple_preauth:
authenticator: api_key_authenticator
But our mobile app will offer end-user to login and we need the user's session to be stateless, which means, logged-in user's token has to be supplied along with developer's token, How do I implement multimple authenticator under simple_preauth firewall index?
I tried supplying [api_key_authenticator, api_key_authenticator2] as 2 authenticators but simple_preauth.authenticator requires value to be scalar, not array. Any help around ?
It is only possible since Symfony 2.8 using Guard authentication:
https://symfony.com/doc/2.8/security/guard_authentication.html
firewalls:
other_user_access:
pattern: ^/api/user/email$
guard:
authenticators:
- dev_authenticator
- api_prod_user_authenticator
- api_token_authenticator
entry_point: dev_authenticator
Related
I'm creating an angular application that should authenticate with MS Azure AD single Tenant App which should be used only in one organization. Below are the configs which I have tried
auth: {
clientId: 'MY_CLIENT_ID',
// authority: 'https://login.microsoftonline.com/MY_TENANT_ID',
//authority: 'https://login.microsoftonline.com/MY_ORGANIZATION_DOMAIN',
authority: 'https://login.microsoftonline.com/organizations',
redirectUri: 'http://localhost:6735'
},
All thes above ways of authority I have tried. It goes to the login page of Microsoft but after giving correct credentials it redirects with some code in the URL and login doesn't happen.
http://localhost:6735/#code=0.ASgAmOTRM_cEXkaKjvmSz2YuZyqUYHleyNlFoNYtQ5kOUEUAAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrHDMc_BSj9GrzkrZl2zT2QVp1Hml8h7qs1PSWM_umvMyKRk5U0C7IbDSpdEpL9SGjWzBFHBXBXh10eLEioVh1N8-hXeNyfLJFSqXShYPooCX8UnlUnIQqgFhULy_o1f7ybLLbMELBomOnJZQKZuJoxj6UJgtERnAE1TZ5-nx4YkPHSrlOD5aYSF6Pziu2Xfh8UOMArIUMAoXe_RUoqULKSIHFsxXypPpCNDo1ddWsxId96BbDdPhHix2IWCuz3SNtKC6i_22qiQSxHJnT3NlcoxyMS0-9f9tSMSEOmrzCU0y5mbuw7-OGYPO8Na3juGParCuPQhE7ZJyXcwFkKodEdGs-C1U-f5Bc_imtik4B8x6sRB2pa-DOAueRQHsLdUUBQn6w5xRmZ97KKXxuL0A59EHbNhNu59EFoVJB6zTTT3hBHLFg7qL9g2nkfZLAlfpp9IfqnsoZVl9xT0CIbl7NvsRFnjpsyp6Sw4oFvyEHiXuRvKLkl3Jz8O56PJody2hHEeqXuQvnWbZ9nk00MPOvArQ7bKyoCusCPQQp64uoPSLW9G389a3ihHLiiNlzJik2dHWjez2wBpSPwZCOingPRi3Mtkh5pIbxfijejQmWZlXB_wf_GaNPYPGNRXYygeo-2OZ9koWDKhQ5S6GP5ktjGPfDtlh6EJNCHAIuuHbK2IN2vjbxdO4_YVLX1NKq0Hh51B4-zNdsiFlZuVsy5RyA3ZQZGsnR1NIKV_wm5jMmdDsgAA&client_info=eyJ1aWQiOiJlYzczZDQ5OS1iYzFiLTRhZWUtYjMyZi0xYjlmOTMyODRiNjAiLCJ1dGlkIjoiMzNkMWU0OTgtMDRmNy00NjVlLThhOGUtZjk5MmNmNjYyZTY3In0&state=eyJpZCI6IjY3YWVjYjVkLWE5YjUtNDBhMy1iZDE5LWRmYmNmNjcxNTkwZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoicmVkaXJlY3QifX0=&session_state=9e6ae9e7-45ae-4fee-b4b2-921f628093ec
Please check if any of the below is your workaround
If your application audience is a single tenant, you must provide an authority with your tenant id as you tried first:
auth: {
clientId: 'your_client_id',
authority: 'https://login.microsoftonline.com/{your_tenant_id}'
}
};
By default, MSAL is configured to set the redirect URI to the current page that it is running on. If you would like to receive the authorization code on a different page than the one running MSAL, you can set this in the configuration. Any redirect URI used must be configured in the portal registration
If it is SPA, please check if you have selected platfom as SPA in app registration in portal and check the URIs type in the manifest file to be Spa . Make sure you do not have multiple platforms configured in azure (for eg both SPA & Web App for same localhost uri).
Try to give the redirect uri like this with ‘/’ at the end :http://localhost:4200/ or http://localhost:6735/ or redirecturi:'/' and make sure you configured the same uri in the application code and try again .
Make sure your client id and tenant id are given correctly. Local host is probably used while in development.If it still doesn’t work configure with https scheme in redirect uri in both app and in portal.
Reference:
AzureAD/microsoft-authentication-library-for-js (github.com)
Quickstart: | Microsoft Docs
I am new to Istio and I have learned a lot and applied to my project which consist of many Microservices. I am stuck in Authentication when it comes to using Istio
So the issue is this. Istio offers authentication which involves using Oauth google, Oauth or any other provider. and Once we do this, we can setup AuthPolicy and define which microservices we want it to apply to. I have attached my auth policy yaml and it works fine. Now may project at Job requires me to use custom auth also. In other words, I have one microservice which handles authentication. This auth microservice has three end points /login ,/singup, /logout and /auth. Normally, In my application, I would call /auth as a middleware to before I make any other call to make sure the user is logged in. /auth in my microservice reads jwt token I stored in a cookie when I logged in at a first place and check if it is valid. Now my question is how to add my custom authentication rather than using Oauth?. Now as you know auth policy.yaml I attached will trigger auth check at sidecar proxy level; so I don't need to direct my traffic to ingress gateway; that means my gateway takes care of mtls while sidecar takes care of jwt auth check. So how to plug in my custom auth in policy.yaml or another way such that "I don't need to redirect my all traffic to ingress gateway".
In short please help me with how to add my custom auth jwt check-in policy.yaml like in the picture or any other way and if required modify my auth [micro-service][1] code too. People suggest redirecting traffic to ingress gateway and add envoy filter code there which will redirect traffic to auth microservices. But I don't have to redirect my all calls to ingress gateway and run envoy filter there. I want to achieve what istio already doing by defining policy yaml and jwt auth check happens at sidecar proxy level suing policy.yaml; so we don't redirect traffic to ingress gateway.
Np: my all microservices are in ClusterIP and only my front end is exposed outside
Looking forward to your help/advice
Heres my code for auth policy.yaml
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: reshub
spec:
targets:
- name: hotelservice // auth check when ever call is made to this microservice
peers:
- mtls: {}
origins:
- jwt:
issuer: "https://rshub.auth0.com/"
jwksUri: "https://rshub.auth0.com/.well-known/jwks.json"
principalBinding: USE_ORIGIN
here's my code for auth microservice just to show you my current log of checking jwt
#app.route('/auth/varifyLoggedInUser',methods=['POST'])
def varifyLoggedInUser():
isAuthenticated = False
users = mongo.db.users
c = request.cookies.get('token')
token = request.get_json()['cookie']
print(token)
if token:
decoded_token = decode_token(token)
user_identity =decoded_token['identity']['email']
user = users.find_one({'email': user_identity,'token':token})
if user:
isAuthenticated = True
return jsonify({'isAuthenticated' : isAuthenticated,'token':c})
Try the AuthService project here which seems to aim to improve this area of Istio, which is at the moment pretty deficient IMO:
https://github.com/istio-ecosystem/authservice
I think the Istio docs imply that it supports more than it really does - Istio will accept and validate JWT tokens for authorization but it provides nothing in the way of authentication.
I'm using Nodejs loopback 4 to build API project and using JWT token for authentication component. But when I explore built-in swagger of loopback (localhost:3000/explorer as default) then navigate to one of my API url, there is no input place for JWT Bearer Token. How can I config that let swagger display a JWT token input (that's just like it's display param query, request body input...)
Thanks in advance
Hello from the LoopBack team 👋
Authentication in general, and token-based authentication in particular, is something we are currently working on.
The problem of enabling token input from API Explorer has been discussed in loopback-next#2210. swagger-ui, the module powering our REST API explorer, does support token-based authentication. It requires the OpenAPI spec document describing application's API to also describe the authentication (security) schema used by the app.
So essentially, either the framework or the application needs to modify the OpenAPI spec to include OpenAPI's SecuritySchemeObject.
First, the security strategy must be defined in securityDefinitions section that's shared by all endpoints:
securityDefinitions:
petstore_auth:
type: "oauth2"
authorizationUrl: "http://petstore.swagger.io/oauth/dialog"
flow: "implicit"
scopes:
write:pets: "modify pets in your account"
read:pets: "read your pets"
api_key:
type: "apiKey"
name: "api_key"
in: "header"
The example above uses "oauth2" type. For JWT, you need to use "apiKey" type.
With the security type defined, you can reference it from endpoint definitions:
security:
- petstore_auth:
- "write:pets"
- "read:pets"
The following GitHub issue is keeping track of the work needed to enable
token based authentication in our REST API Explorer: loopback-next#2027. Feel free to subscribe to notifications or join the discussion there.
You may be interested in the following pull request too, it is adding support for JWT authentication to our Shopping example app: loopback4-example-shopping#26
I created a jhipster monolithic application (jhipster version v4.14.2). Also I create a Okta web application with following settings:
Login redirect URIs -> http://localhost:8080/login
Initiate login URI -> http://localhost:8080
Create groups for admin and user, setup the claim in the default authorization server, and assign them to the application and my user
I updated the application.yaml of my jhipster application as follow:
security:
basic:
enabled: false
oauth2:
client:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
client-id: ????????
client-secret: ????????
client-authentication-scheme: form
scope: openid profile email
resource:
filter-order: 3
user-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/userinfo
token-info-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/introspect
prefer-token-info: false
When I start the application and then I try to sign in. I do get the Okta login page, however after adding my credential I always get the following error:
Your request cannot be processed
Sorry, an error has occurred.
Status: Unauthorized (Unauthorized)
Message: Authentication Failed: Could not obtain access token
I followed instruction in jhipster security documention and can't make it work. Any idea why I still get the unauthorized error?
This might have nothing to do with jhipster. Make sure your you URL for accessing the access token is right.
What Grant type are you using?
https://developer.okta.com/authentication-guide/implementing-authentication/
I think the error is here:
access-token-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/token
user-authorization-uri: https://dev-779125.oktapreview.com/oauth2/default/v1/authorize
Is "user-authorization-uri" jhipster way of of asking for "issuer URL"?
This question already has an answer here:
FOSUserbundle + Additional HTTP auth without user getting ROLE_USER
(1 answer)
Closed 8 years ago.
I need to secure my whole web site (because it's in development). To achieve this, I want to put a simple HTTP Auth with static credentials in front of the whole web site. The user should not be able to see anything without entering the correct data.
I could use the .htaccess file, but the problem is that I have one VIRTUAL directory "/api" (using mod_rewrite) that I want to secure with another password / user combination. So I cannot simply put a .htaccess under /api that disables the general HTTP auth and enables another one.
So I have to do it with the Symfony2 security component. But I have absolutely no idea how.
Another problem is that I am using the FOSUserBundle. ==> I want the HTTP auth to be independent from the FOSUserBundle login. After entering the user / password of the HTTP auth, the user should not be logged in. He should be acting as a normal guest until he uses the FOSUserBundle login form.
Is there any way to do this in Symfony2?
All you have to do is put in your security.yml something like this:
security:
firewalls:
basic_secured_area:
pattern: ^/
anonymous: ~
http_basic:
realm: "Secured Demo Area"
fos_authentication:
pattern: ^/
#here you configure your FOSUserBundle security
providers:
in_memory:
memory:
users:
ryan: { password: ryanpass, roles: 'ROLE_USER' }
admin: { password: kitten, roles: 'ROLE_ADMIN' }
This will secure whole site because of url pattern: ^/ with http basic security. This is separate security than FOSUserBundle, authenticating in http basic won't make you logged in your FOSUserBundle.
Find complete guide here