I'm trying to write a java code to authenticate the graph API by the Azure Access Control Service (ACS) using OAuth 2.0.
Based on what I've read, They are four steps to this
Generate an assertion which includes the Service Principal’s X.509 Certificate (alternatively, a symmetric key can also be used).
Present the assertion to the Azure ACS Security Token Service (STS).
ACS accepts the assertion and authenticates the Service Principal, returning a minted OAuth access token (i.e. JWT token).
Subsequent API call submissions include the access token.
Can anyone tell me, where do I begin this from? For example, where can I find the java api, how do I generate a symmetric key or an assertion with X.509 cert. I want to create an java app which will create users in the office 365 and authenticating is the initial step. Thanks for the help
I think you would need to start from here:
How to Authenticate Web Users with Windows Azure Access Control Service Using Eclipse - This example uses Windows Live ID for the identity provider, a similar technique could be used for other identity providers as applicable.
Once you have your Java based code is authenticating users successfully you can go ahead and implement further to connect with other providers.
Related
I have to retrieve secrets from Azure Vault but my app uses jdk 5. This is a problem because the azure libraries used and described in Microsoft docs require at minimum jdk 8 and upgrading the jdk is not an option.
The client's architect says that I can consume some vault api and use bouncy castle's tls api to achieve this but I'm not sure what is he talking about.
This sounds too low level. I'm asking for guidance, some superfluous explanation can get me going. How can I obtain secrets using Java 5?
As the architect says, you could retrieve a secret from Key Vault by Key Vault REST API instead of azure libraries.
GET https://{yourvault}.vault.azure.net/secrets?api-version=7.1
This API is used to list secrets in a specified key vault. And you could get a specified secret from a given key vault by this link.
First, get access_token with Post via ApacheHttpClient.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={your-client-id}
&scope=https%3A%2F%2Fvault.azure.net%2F.default
&client_secret={your-client-secret}
&grant_type=client_credentials
Then, call the REST API with Get via ApacheHttpClient.
GET https://{yourvault}.vault.azure.net/secrets?api-version=7.1
Authorization: Bearer {access_token}
I try this with Postman, and it works well. You could use httpclient to obtain secrets by java.
Note:
Navigate to Azure Portal > Key vaults > your_key_vault > Access policies > Add Access Policy. In secret permissions field, select desired permissions and Select Principal section, select the application that you are using to access the secret.
I have doubts about what the correct schema should be for the next technical solution.
I need to authenticate a user in a mobile application by reading a QR code, the user being previously authenticated in a web application.
The use case consists in that the user uses a web application located in an intranet, but needs to be able to upload images from a mobile device that will be connected to the internet.
The mobile application will consume a public API exposed on the internet through a API Gateway.
The API Gateway will connect to the backend to upload the images.
As a requirement, when the user needs to use the mobile device to capture and upload images, they should not authenticate again, since they have an open session in the web application, and simply use a QR code to authenticate the device. Logically the QR will not use the user's credentials.
My idea is to make use of Oauth 2.0 with the following flow to authenticate mobile device:
The web application requests API Gateway to generate an authorization token and it responds with a UUID.
The web application will display the authorization token using a QR received from the API Gateway.
The mobile device will read the QR, and request an access token to the API Gateway with the authorization token.
The API Gateway validates the authorization token and generates the access token that is returned to the mobile device.
The mobile device makes calls to the public API (API Gateway) using the access token.
My question is whether it is the correct scheme, or there is another standard solution.
Thanks!!
Your scheme will work BUT it's not reaching its fullest security potential considering the fact that you can transfer a new generated authorization token from an already authorized device directly to another one(via QR code read by camera); this fact would make step 3 and 4 an unnecessary vulnerability(it's also a redundancy,there already is a token!, why get another one?);
The following alternative along with good cryptography can make the later authorized device connection almost impossible to intrude.the idea is that by adding a symmetric encryption layer before sending the data in step 5 and using a key which is exchanged over another medium(the already authorized device and server) the encrypted data can never be exposed;
step 3 replacement: read the authorization token;
step 4 replacement: check the secure hash derivation of the authorization token(instead of the token itself) with the server to see if its valid;
token0=read_auth_token_from_camera()
public_token=hash_function(token0) //the useless exposed token
if(check_token_with_server_for_authenticity(public_token)==true)
continue_to_step_5() //it's authorized
else
handle_the_scenario()
step 5 replacement: encrypt your request and authorization token with another hash derivation of the authorization token then make calls to the server API;
token2=another_hash_function(token0)
request="i am top secret data"
encryption_key=token0
encrypted_request=encryption_function( token2 + request , encryption_key)
send_to_server( public_token+encrypted_request)
//notice that token2 is unknown to the intruder because its encrypted,but it is known to the server; hence the authenticity of each request can be checked by the server;
how it is more secure: in this alternative way the actual authorization token is never really exchanged between the server and the new client; So if an intruder could hypothetically break the SSl/TLS layer and capture the public token, the intruder won't be able to send any requests on your behalf or modify the data in requests;
If this scheme fulfills your desired application flow then its correct. Their is no standard way to authenticate android devices if you are going for self-made authentication.
One thing that I think you need to add is a check whether the client is actually your android application and not any other application using similar authentication flow. If you can cater this than its good to go.
You can use FireBase ML Kit for a good solution and it can also performs a lot AI-based functions to your apps.
You can check it from here:
https://firebase.google.com
I google search many time about how to authenticate Restful API and Mobile App.
I found a lot answers but I feel not better, or perhaps because I am new in API.
My Willing:
Mobile App request or post data to Restful Server
Restful Server Authenticate Mobile App by Username And Password Login
I want to secure on Restful Server And avoid hacker steal password and request data.
After searching by google they told:
use Https with SSL
authenticate username or password then generate new token and signature
use token and signature to authenticate Mobile App.
Other way use Oauth 2.0. After reading Oauth 2.0 document,
I still think its structure still similar token and signature above.
I think if like that, mobile app can store or use token and signature,
or hacker can debug or see process log in by proxy request.
I feel still not secure
because we still use token and signature on requesting.
I just start my new knowledge in API. If I misunderstand,
I am sorry. I use PHP coding.
I would recommend jBoss's Keycloak (http://www.keycloak.org/). From the first page:
Add authentication to applications and secure services with minimum
fuss. No need to deal with storing users or authenticating users. It's
all available out of the box.
You'll even get advanced features such as User Federation, Identity
Brokering and Social Login.
For more details go to about and documentation, and don't forget to
try Keycloak. It's easy by design!
I've successfully implemented user login in my android app with Google Identity Toolkit. I've also created an App Engine Endpoint to communicate from the Android app. Now I want to secure the endpoints with auth.
I know I can create a custom Authenticator for endpoint and do any kind of verification of the data in request header in there and get the job done.
But I don't know how to do the Gitkit verification there.
Basically
What data should I pass to reach endpoint calls from Android app?(token ID?)
What should I do in the custom Authenticator of endpoint to ensure the requests are valid?
I saw people suggesting to use Session or cookies. Will these work if I'm using the endpoint from Android app? If yes please give me some reference on how it can be done.
Gitkit tokens are JWT format, so you validate them on server-side just as any other JWT token.
See example documentation on how to validate JWT here: https://developers.google.com/identity/sign-in/web/backend-auth It's the same format.
I have also my own project to integrate it with Jersey server:
https://github.com/dlazerka/gae-jersey-oauth2. It uses recommended com.google.api-client library to actually verify the token.
I have a Java web application. And I want to implement SAML SSO login for my application.
What I am trying to do is,
Need one sample identity provider certificate
Create a separate JSP application which will sign certificate and create assertion for my app.
Upload the public key of the certificate and save in keystore.
Whenever a user tries to login, the assertion from JSP application will be created and send to my web app.
Validate the public key with the key in keystore and proceed further.
Please correct me if I am wrong in this.
Also where can I find a sample identity provider certificate? Or may be how to create one?
Also is there any sample JSP application that can create assertion and send to my application?
Thanks.
You can get free account at PingOne from Ping Identity.
After that you will be provided with certificate and meta information to use PingOne as identity provider.
Also you can try TestShib or OpenIdP.
You can use keytool command to manage certificates at your local system.
If you use JBoss AS/Wildfly then I suggest using Picketlink, you can find documentation here.