Re: claims in password grant

Report Inappropriate Content · 05-31-2018 05:28 PM

Hello all kind Sirs out there! I can't seem to find the docs on the subject so I'm asking here.

I want to implement password grant. One of my API functions will validate login/password. Later on, my other functions need to know who the user is. I assume that authentication function needs to return not just success/failure, but something that identifies the user - it can be user ID or list of roles. Edge must pass this info in all subsequent calls to my API.

I need to know what the authentication function should look like - does it get JSON or form params or query string? What should it return? Also I need to know how the user-specific information will be sent to my other functions.

robert

Hi @IT Boardroomlimited,

I would recommend authorization grant over password grant but you asked a few questions here. So as Home Depot says,,,let's do this...

I need to know what the authentication function should look like - does it get JSON or form params or query string? What should it return?

First, to authenticate from Edge to the target (backend api), if possible, use mutual TLS. Second, create a target (backend API) such as GET /authenticate and pass the username and password as headers. Do not use query strings as those can get logged. Some folks might argue that you should use POST. Since we aren't modifying anything on the server, I would argue against that. However, I'm not religious about it but just don't use query strings for these type of API's. Third, the API should return a "User" resource. The User resource is simply a JSON response and should include user info and any roles.

Also I need to know how the user-specific information will be sent to my other functions.

OK. So we have authenticated the user and received user information and its roles. Now we need to create the token. There are two approaches I see here. Others might chime in to make additional suggestions or alternatives.

Generate an Opaque token from edge and add the roles as visible or hidden attributes on the token. Does the client app need them? Later, when the client app calls to edge, before Edge calls a target (backend API), the proxy would then need to extract the username and roles from the token and Generate a JWT from Edge and include the roles as claims. Then you forward the JWT to the targets (backend API's) and have the backend API grab the claims from the JWT and also validate the JWT, expiry, etc..
Generate an Opaque token from edge and add the roles as visible or hidden attributes on the token. Does the client app need to use them? Later, when the client app calls to edge, before Edge calls a target (backend API), the proxy would then need to extract the username and roles from the token and forward them along to the targets as headers or form params.

Make sense? There are pros and cons to each approach so please review any design with your security team and make sure they sign off before you implement in production. If your team is new to Apigee, I would also recommend that you hire someone to help you who has implemented similar security use cases.

Finally, because this post is a security topic answer, I must put a disclaimer that I'm simply answering your question about potential options but am not officially recommending a specific solution nor have I been hired to do so. Please don't rely on this posting as consulting.

If this post answered your question, please click accept.

Report Inappropriate Content

First, thank you!

"... pass the username and password as headers"

Edge server receives them as form post variables, right? How do I convert post variables into headers?

"Third, the API should return a "User" resource"

Do you mean JSON response?

"So we have authenticated the user and received user information and its roles"

Assuming it is JSON, imagine I need to "explain" the JSON structure to the Edge somehow. How do I do it?

I would prefer option 1 because Client App does not need to see claims.

"Make sense?"

Definitely does! Details please 🙂

"JWT from Edge and include the roles as claims"

Can you explain how to do it please?

robert

Edge server receives them as form post variables, right? How do I convert post variables into headers?

You first extract them using an Extract Variables policy and then create the headers using an Assign Message policy

"Third, the API should return a "User" resource"

Do you mean JSON response?

Yes, I've updated my original answer to include additional details.

"So we have authenticated the user and received user information and its roles"

Assuming it is JSON, imagine I need to "explain" the JSON structure to the Edge somehow. How do I do it?

What needs to happen is you are going to generate a token and take the JSON User payload and assign values from it into the token.

I would prefer option 1 because Client App does not need to see claims.

I've updated my response to include hidden and visible for both options.

"Make sense?"

Definitely does! Details please 🙂

"JWT from Edge and include the roles as claims"

Can you explain how to do it please?

You will use the GenerateJWT policy using the values from a VerifyAccessToken policy. Then assign JWT to a header and send it to the target.

Please see disclaimer above. 🙂

Report Inappropriate Content

Thank you very much Robert!

Your explanation kind of made it clearer, but I still have to face the struggle of programming and debugging in this unfamiliar XML-based programming language.

What I think you should do, is publish a downloadable proxy targeting this use case, and also document what backend API would look like, both authentication endpoint and normal endpoints.