I have a REST API that i call from within my web application in order to get the result. I have a client which asks for my API only but I can't expose my API without any security. Apparently I have to use it with my application as well, so far the API is not secure, I want my client to consume my API with valid credentials, whether OAuth 2.0, JWT , Certificate, or some extra mechanism. How can I achieve this objective, any working example in Java with Azure will do and it should not hamper my pre-existing WebApp which is using the API for its own purpose. Thanks well in advance.
I tried to do it and I even completed the task but eventually found that it does not provide much value in my case. In my case the API is accessed by long-running background tasks where human login is not practical. Now there is no way for an application to log in to Azure, it must be done by a browser application which is protected by every conceivable way against automatic login. Other than that, Microsoft's solution for these kinds of tasks is the shared secret-protected token which essentially means that the app and Azure share a secret (a password generated by Azure). This does not differ significantly from the case where you store and check the passwords.
Other than that, there is the issue of Azure Active Directory and Azure Active Directory v2.0. This is a bit confusing because both solutions are based on OAuth2.0 tokens but Azure AD v2.0 is really a very different beast. For starter, Azure AD v2.0 tokens cannot be decoded as of writing this answer, they can be consumed only by Microsoft services. So if you want to know, who was the user that has logged in, you need to pass the token to the Graph API and that supposed that you have a logged-in user. For Azure AD, the token can be decoded and verified by your app, see this demonstration application, how to do it
So as a summary, I recommend protecting your API with Azure tokens only if the application you provide the login service for is an user-facing application that the user interacts with after the login. If it is a long-running server-type task, protecting it with Azure AD is pretty pointless.
It is easy to protect the web API using the Azure Active Directory. Microsoft provide lots of code samples to help developer to get started.
You can refer the links below about the code samples for your scenario:
Azure Active Directory Code Samples
Related
I am trying to connect from Java to the Sharepoint Online REST API.
I previously used a SharepointOnline ADD-IN registered directly in the Sharepoint system that has permissions to all the site collections (FullControl).
I got the token with the app credentials from the url:
https://accounts.accesscontrol.windows.net//tokens/OAuth/2
I can make requests to the Sharepoint REST API directly
Now I have to switch to an Azure registered app.
The code is written in Java and I use the Azure sdk-com.microsoft.azure (artifactId-azure). I can successfully retrieve a token, but this is not valid for later requests to the Sharepoint REST API.
I get this error:
'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
Is there any possibility to get a valid token for Sharepoint REST API requests?
Yes this is possible. Check out the below document:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
When using SharePoint Online you can define applications in Azure AD and these applications can be granted permissions to SharePoint, but also to all the other services in Office 365. This model is the preferred model in case you’re using SharePoint Online, if you’re using SharePoint on-premises you have to use the SharePoint Only model via based Azure ACS as described in here.
Hope this helps!
You can take a look of this project i've develop (and i'm currently working on it on my free time) where you have a working implementation of a java API to communicate with sharepoint rest api v1 and perfom common operations (rest api is still not fully covered but has most common operations and also provides a starting point with working examples). You can take a look of it at
https://github.com/kikovalle/PLGSharepointRestAPI-java
TL;DR
Objective: Java authorization server:
OAuth2.0 authorization code grant flow with fine-grained permissions (not a mere SSO server)
User management and authentication: custom database
Client management and authentication: Keycloak
Questions: What are the best practices for implementing a Java authorization server with applicative permissions handling backed on Keycloak?
What Keycloak adapter/API should I use in my development?
How should the users be managed/appear in Keycloak if they are to appear at all?
Forewarning
I am quite the beginner with Keycloak and, though I think I understand the main principles, it seems to be a rich tool and I fear I may still be mistaken about some aspects of the best ways to use it. Please do not hesitate to correct me.
Context
We are looking at implementing an API requiring our users (henceforth "users") to grant permissions to third party applications (henceforth "clients").
Our users are stored in a custom existing database-based user management system. As for our clients, we are thinking of using Keycloak.
The users consent will be given using an OAuth2.0 Authorization code grant flow. They will log in, specify which permissions they grant and which they deny, and the client then retrieves the access token it will use to access the API.
It is my understanding that Keycloak can handle the authorization token but it should not know anything applicative, which our permissions are. As a consequence, I thought of building a custom authorization server which will use Keycloak for all identity/authentication problems but will handle the applicative permissions by itself.
Then, we will use Keycloak for client authentication and authorization code/access token management, and an applicative part will check the permissions.
Problem
Besides my first experimenting, I've been roaming the Internet for a week now and I'm surprised as I thought this would be quite a standard case. Yet I found next-to-nothing, so maybe I'm not searching correctly.
I've found many Spring/Spring Boot tutorials1 on how to make a "simple authorization server". Those are mainly SSO servers though, and few do manage permissions, with the exception of those mentioned in this SO answer2. That I think we can deal with.
The real problem I have, and that none of the tutorials I have found are treating, is the following:
How do I integrate Keycloak in this authorization server?
I've been having a look at the available Java Adapters. They look OK when it comes to authenticate but I did not see hints about how to manage clients from a custom authorization server (ie administer the realm).
I therefore suppose I should use the admin API. Am I correct and is it good practice? I saw no adapter for that, so I suppose I should then use the REST API.
I also wonder how we should integrate our users in design? Should they be duplicated inside Keycloak? In this case, should we use Keycloak's admin API to push the data from the authorization server or is there a better way?
Finally, am I missing some other obvious point?
Sorry for the long message and the many questions, but it all boils down to one question in the end:
What are the best practices when building an authorization server using Keycloak as a backbone?
1. Some examples:
Spring Boot OAuth2 tutorial -
A blog post -
Another blog post
2. I've mainly focused on the sample app provided by Spring Security OAuth
Building Java OAuth2.0 authorization server with Keycloak
This is possible but is bit tricky and there is lot of thing which needs to be customised.
You can derive some motivation from below repo.
keycloak-delegate-authn-consent
Building custom Java OAuth2.0 authorization server with MITREid
If you are open to use other implementations of Oauth and OIDC,I can suggest you MITREid which is referrence implementation of OIDC and could be customized to a great deal.Below is the link to its repo and its open source.
I myself used this to requirement similar to yours and it is highly customizable and easy to implement.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
MITREid Connect uses Spring Security for its authentication, so you can put whatever component you like into that space. There are lots of good resources on the web about how to write and configure Spring Security filters for custom authentication mechanisms.
You'll want to look at the user-context.xml file for where the user authentication is defined. In the core project this is a simple username/password field against a local database. In others like the LDAP overlay project, this connects to an LDAP server. In some systems, like MIT's "oidc.mit.edu" server, there are actually a handful of different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in that case.
Note that in all cases, you'll still need to have access to a UserInfo data store somewhere. This can be sourced from the database, from LDAP, or from something else, but it needs to be available for each logged in user.
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration.
I am working on writing a private REST API with Play! that I will make calls to from a mobile application and I am confused about how to keep it secure.
When working through the Yet Another Blog Engine example in Play!'s documentation, I worked through their authentication example, and it deals with logging in through a browser. From what I understand about Play!'s Secure module, it helps with browser sessions. Additionally, every StackOverflow question I have seen has been involved with an administration module on the web and the questions have been pertaining to sessions as well.
Does the Play! framework have any built in mechanism to prevent session hijacking?
Enforce Https routing for login with play framework
My current understanding of how the security should work:
The mobile app "logs in" to the web app and obtains some kind of token
With each subsequent call the token is appended to the end of the API call
If the mobile user "logs out" or the token expires, the web app removes the token
Every API call uses HTTPS in order to maintain security
Is it possible for me to make an HTTP request from the mobile application to the web application I create using Play! Framework while keeping it secure?
Am I approaching the whole situation incorrectly?
This is the first Play! app I have created and this is the first time I have used Heroku. I am not too far in that I would be opposed to switching to something else if it were significantly easier/more efficient/better suited to solve this problem.
EDIT: Also, in Play!'s YABE tutorial, it seems like they check the password in plain text. Just from a general standpoint, how is that not a security issue?
EDIT 2: I have looked over OAuth provider information and it seems to solve the problem. My only apprehension with it is that v2.0 has known security flaws and v1.0 seems complicated to implement for a situation where all I need is a secure connection between a mobile app and a web app. If I were to make every call require SSL, could I make each Play method just take username and password as parameters and disregard OAuth completely?
Your example of having a mobile application authorize itself with a web application is achieved with an authorization framework like OAuth. This allows the web app to let the user login then issue an access token to the mobile app for making requests as that user, without the mobile app having to deal with the user's password.
Have a look at an OAuth provider module for Play. If you Google, you might find an OAuth client module for Play, but that's for the other side of OAuth, allowing your web app to authorize against a 3rd party provider. You'd then use an OAuth client library in your mobile app to deal with acquiring an access token.
It could even be a generic Java libary for OAuth - the Play 2.0 documentation for OAuth states that it hasn't provided an OAuth 2.0 module because it's simple enough not to even need a library. However there are a few Java libraries available.
Here's a project where somebody's put together some OAuth provider stuff with Play (referenced from this forum post):
https://github.com/mashup-fm/playframework-oauthprovider
I would like to try to use OpenSocial (or any other API) for my small project. What I want to create is a small console application that would gather some data from several sites (e.g., Facebook, LinkedIn, Xing, MySpace...) and calculate some things. What I've noticed in all tutorials is that OpenSocial is used for mobile applications, apps inside social networks etc., but I haven't seen it anywhere to be used for a console application. Is that possible? Can I create a simple Java console application which would gather and process data from social networks? Do you know some tutorial that could help me out with it? The biggest problem that I have is the authentication, since (if I understood well) all APIs request to forward the user to the original (e.g., LinkedIn) site to login so to grant permission to use the data for the application. But can I somehow login with my credentials using a console application?
Thanks,
Ivan
Yes, you can access the various data APIs from a stand alone Java application. The standard/protocol you're looking for is OAuth, not OpenSocial.
You will have to give your users some way to grant access to their social network account. (web based applications would redirect them to the social network site, which would in turn redirect them back to the application). OAuth has an out-of-band (OOB) mode especially for non-web based consumers.
I've used Scribe in the past to access the LinkedIn API.
I am new to appengine. I will write application which consist of two parts.
1) Core written in app engine with REST interface for clients.
2) Client application written in J2EE on my other (not appengine) server. But here, client may use any other technology (android, swing etc.)
I dont know, how to handle authentication of users in this schema. I think that I am in the middle between standard login and installed applications.
The simplest solution that occured to me, that the client will request username+password, pass it to appengine application via https and it will authenticate.
But dont know how to synchronized the login with client app, because it will need also data from google applications...
Is there any solution or pre-prepared facility in Java how to handle this?
Thanks
You probably want to use OAuth for this; client login or using username+password is not a good way to do this, and informed users will be -- or SHOULD be -- hesitant to give away their passwords. There is a page for using OAuth within AppEngine applications written in Java which may be of use. There is also some support for Oauth in the GData client library for Java. The OAuth in the Google Data Protocol Client Libraries document may help you to understand how to use those features.