Configuration Assist

[kumaranilgupta]

Hi, Please guide me If i want to add multiple resource server then where and all i need a change.

And also how do i add multiple resource server in yml file..

authorizationServerUrl: http://localhost:8080/v1/tokeninfo secret: 58b749f7-acb3-44b7-a38c-53d5ad740cf6 (Can i append it by comma for other resource servers) key: university-foo

And do i also need to add different json files for each new resource servers Please guide me ... Will appreciate for your support.

Thanx

[gvanderploeg]

Hi,

Having multiple resource servers is exactly what Apis is all about. Every resource server has its own record in the database, together with one or more Clients to have access to this resource server. There is nothing to configure in the YAML file, only database records to be added. (the easiest way is using the html5/js admin client for this)

Does this help you?

Kind regards, Geert van der Ploeg

On 3 February 2015 at 15:42, kumaranilgupta notifications@github.com wrote:

Hi, Please guide me If i want to add multiple resource server then where and all i need a change.

And also how do i add multiple resource server in yml file..

authorizationServerUrl: http://localhost:8080/v1/tokeninfo secret: 58b749f7-acb3-44b7-a38c-53d5ad740cf6 (Can i append it by comma for other resource servers) key: university-foo

And do i also need to add different json files for each new resource servers Please guide me ... Will appreciate for your support.

Thanx

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71.

[kumaranilgupta]

Hi Gvanderploeg,

Thanx for the reply, from apis, whenever we request from below Url..

Hint: http://localhost:8180/v1/api/course Hint: http://localhost:8180/v1/api/course/cs3 Hint: http://localhost:8180/v1/api/student Hint: http://localhost:8180/v1/api/student/foo5 All of the above url serviced from university resource server i see json file and university configuration In university-foo-local.yml i could see details added for its resource server secret: 58b749f7-acb3-44b7-a38c-53d5ad740cf6 key: university-foo

So after i added new resource server and when i try to fetch some details from my json i get following error in console.

10:54:27.061 [qtp954934397-21] WARN o.s.oaaas.resource.VerifyResource - For access token d7c5074d-2f7f-44eb-9aad-7a777b4685d8: Resource server not found for credentials UserPassCredentials [university-foo]. Responding with 401 in VerifyResource#verifyToken.

my new resource server details are

key : 21989681-a91b-4c07-b228-04c8628aa57a secret : 1f2f25b2-f97a-4612-bc47-45716b342ebb

and i want to add a new json file university-foo.json

So if apis can server many resource server to its connected client then why have you added resource server details on university-foo-local.yml. Hope you have understood my issues.

Thanx

[gvanderploeg]

Hi,

I think I need to clarify some more. The module apis-example-resource-server is an example resource server. It is not meant for doing real business, let alone configuring two of them with one runtime and one configuration file.

Of course you could configure 2 example resource servers side by side, but that means you have to really separate them: each has its own JVM, configuration file, its own http port to listen on, just like real applications would have.

Maybe it would help if you sketch your business problem? What is your intention for using Apis?

Kind regards, Geert

[kumaranilgupta]

Hi Geert,

I am having 5 API and I want to secure them using OAUTH2 and So for my API, Do i need to have 5 jsons and 5 configuration files , Please guide me .

Do i need to have 5 more module for my 5 API like you have in APIS ...(apis-example-resource-server) if so then i would have proabably 5 jars containing 5 yml and 5 jsons file , Am i Correct on this , or do i need another approach.

On Wed, Feb 4, 2015 at 1:39 PM, Geert van der Ploeg < notifications@github.com> wrote:

Hi,

I think I need to clarify some more. The module apis-example-resource-server is an example resource server. It is not meant for doing real business, let alone configuring two of them with one runtime and one configuration file.

Of course you could configure 2 example resource servers side by side, but that means you have to really separate them: each has its own JVM, configuration file, its own http port to listen on, just like real applications would have.

Maybe it would help if you sketch your business problem? What is your intention for using Apis?

Kind regards, Geert

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-72806737.

Regards Anil.Gupta

[kumaranilgupta]

Hi Geert, Appreciate for your quick reply ,

I am having 5 open API and I want to secure them using OAUTH2 and So for my API, Do i need to have 5 jsons and 5 configuration files , Please guide me .

Do i need to have 5 more module for my 5 API like you have in APIS ...(apis-example-resource-server) if so then prbobably i will have 5 jars containing 5 yml and 5 jsons file , Am i Correct on this , or do i need another approach.

[gvanderploeg]

Alright, 5 APIs you want to secure. A bit of background: What you need for each of them, is intercepting calls to the API (each and every call) en verifying that the calls contain a valid access token and that the access token has the proper scope (see How do resource servers verify the access token. That's all there is to it, regarding protection of the resource servers. What's the status of your resource servers? Are they ready yet, or do you still need to program them? Because you are absolutely free to program them in any language you want, no requirement that they are Java based. The validation of the access token is an HTTP request/response that you can implement in any language.

Of course, you could use example-resource-server as a starting point for implementing your actual resource server, but I do not recommend that. As I said before, the example-resource-server is just a showcase for the OAuth process, and not a particularly solid base for an application with 5 API's. But if you really want it: then yes, 5 jars each with their own configuration is the way to go.

[kumaranilgupta]

Hi Geert, Thanx for the detailed reply, Yes my api is already developed in development env and now I am trying to have one single login page with token provider, authentication and authorization and all the client will have their own scope to access 5 api, only admin can have access to all the 5 api but a normal use may not have the access to all the 5 api.

as of now my 5 api are in separate it has separate project , and in future a client can be either from android,ios or from windows.

as you said having example-resource-server is just a showcase for the OAuth process. Probably what i would do is , existing we have 3 steps in example, So i will customize it on 1 step where a normal authentication from db i will redirect to a page in http://localhost:8084/test(test i will replace)

and then will ask user to provide key and secret after then 2nd and 3rd step i will hide as you have done to show the process, and after key and secret i will be displaying my 5 API where if a user is authorize to acess those api then he can able to access like university json example or else if he is not authorized then we will recieve a error.

let me know your suggestion to implement.

I just saw that every client belongs to only one resource server which is a big issue for me. At any cost i need to have a client to access for multiple resource server.

Please guide how can i have a access a client for multiple resource server

Thanx

[kumaranilgupta]

Hi Geert, Thanx for the detailed reply, Yes my api is already developed in development env and now I am trying to have one single login page with token provider, authentication and authorization and all the client will have their own scope to access 5 api, only admin can have access to all the 5 api but a normal use may not have the access to all the 5 api.

as of now my 5 api are in separate it has separate project , and in future a client can be either from android,ios or from windows.

as you said having example-resource-server is just a showcase for the OAuth process. Probably what i would do is , existing we have 3 steps in example, So i will customize it on 1 step where a normal authentication from db i will redirect to a page in http://localhost:8084/test(test i will replace)

and then will ask user to provide key and secret after then 2nd and 3rd step i will hide as you have done to show the process, and after key and secret i will be displaying my 5 API where if a user is authorize to acess those api then he can able to access like university json example or else if he is not authorized then we will recieve a error.

let me know your suggestion to implement.

I just saw that every client belongs to only one resource server which is a big issue for me. At any cost i need to have a client to access for multiple resource server.

Please guide how can i have a access a client for multiple resource server

Thanx

[gvanderploeg]

You are correct in that there is a one-to-many relation between resource servers and clients (and also between clients and access tokens, effectively restricting each token to one resource server only) There are currently no plans to support a many-to-many relation between resource servers and clients. I'm sorry.

By the way: I have my doubts about this. The relation between a resource server and a client is typically a long-lived one, for which developers probably write some code, think about scoping, define configuration (endpoint url as minimum), test thoroughly... To have to configure separate credentials for each resource server doesn't seem like a burden for a client developer to me. Besides that, from a functional point of view: how would you envision the consent screen for a resource owner that grants access to a client having access to multiple resource servers? That would have to look something like this: "Do you want to allow _client_applicationxyz to have access to _resource_server1, _resource_server2, _resource_server3 for the following scopes: _scope_1_from_server1, _scope_2_from_server3, etc...

I think that this could get hairy very quickly....

The spec, RFC 6749, says: "A single authorization server may issue access tokens accepted by multiple resource servers." (ch 1.1) So in theory it, could be implemented...

[kumaranilgupta]

Hi,

Please find my reply in followed by ****

By the way: I have my doubts about this. The relation between a resource server and a client is typically a long-lived one, for which developers probably write some code, think about scoping, define configuration (endpoint url as minimum), test thoroughly... To have to configure separate credentials for each resource server doesn't seem like a burden for a client developer to me. Besides that, from a functional point of view: how would you envision the consent screen for a resource owner that grants access to a client having access to multiple resource servers? That would have to look something like this: "Do you want to allow _client_applicationxyz to have access to _resource_server1, _resource_server2, _resource_server3 for the following scopes:_scope_1_from_server1, _scope_2_from_server3, etc...

---

yes you are right I need a client *_client_applicationxyz to have access to _resource_server1, _resource_server2, _resource_server3 for the following scopes:_scope_1_from_server1, _scope_2_from_server3. because if a client is a admin then he should have acccess to all the api with read and write scopse , And if a client is marketting or seller guy then he will not have access to all the secured api and thats the reason i want a client can have access to multiple resource server.

We can't have 5 login details for 5 api , we need one gateway to authenticate for all the api and token will be generated for depend on use accessibility for their corresponding authorized api.

---

The spec, RFC 6749, says: "A single authorization server may issue access tokens accepted by multiple resource servers." (ch 1.1) * yes a this is what i was in need for , i want a authorization server to issue a token which can be accepted by multiple resource server.

---

Yes this is what i am in need for.* So in theory it, could be implemented... Please guide me a little more, I shall enhance the code to support this

---

Thanking you alot :)

On Thu, Feb 5, 2015 at 7:49 PM, Geert van der Ploeg < notifications@github.com> wrote:

You are correct in that there is a one-to-many relation between resource servers and clients (and also between clients and access tokens, effectively restricting each token to one resource server only) There are currently no plans to support a many-to-many relation between resource servers and clients. I'm sorry.

By the way: I have my doubts about this. The relation between a resource server and a client is typically a long-lived one, for which developers probably write some code, think about scoping, define configuration (endpoint url as minimum), test thoroughly... To have to configure separate credentials for each resource server doesn't seem like a burden for a client developer to me. Besides that, from a functional point of view: how would you envision the consent screen for a resource owner that grants access to a client having access to multiple resource servers? That would have to look something like this: "Do you want to allow _client_applicationxyz to have access to _resource_server1, _resource_server2, _resource_server3 for the following scopes: _scope_1_from_server1, _scope_2_from_server3, etc...

I think that this could get hairy very quickly....

The spec, RFC 6749, says: "A single authorization server may issue access tokens accepted by multiple resource servers." (ch 1.1) So in theory it, could be implemented...

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-73052698.

Regards Anil.Gupta

[gvanderploeg]

Please, format your replies using Markdown. "blue text" won't display when messaging via Github...

You say:

if a client is a admin then he should have acccess to all the apis with read and write scopse , And if a client is marketting or seller guy then he will not have access to all the secured apis and thats the reason i want a client can have access to multiple resource server.

Are you sure about the OAuth concepts here? A client within the OAuth context is not a an end-user, it's an application that requests resources that are owned by a resource owner (only this resource owner is an end user). Of course, a client application can have multiple access tokens for multiple resource owners (in your example the marketing guy or the admin) and should use them if the application wants to do requests. The client application needs a bookkeeping of all access tokens, properly stored by resource owner and resource server.

Access restriction using scopes (read/write vs. only read) is a multi-level thing: a resource server has a set of scopes. A client (client application) can have access to a subset of these scopes. And finally, the client can ask for resource owner consent for a subset of the scopes. If you want a certain client (again, a client application) to have only read access: that's fine, just give the client the read scope for this particular resource server.

Please think this through before trying to implement the feature you think you need.

Hope this helps.

[kumaranilgupta]

Hi Thanx for clearing concepts on OAuth Concepts,

Yes Client is an application that requests resources that are owned by a resource owner .

Let me elaborate more about my requirement

I have 5 application , 1) For IT Application 2) For Call Center Support 3) Application for Marketing 4) Application for outside user 5) Application for Finance

I will have a single login page for all the above applications and all the users will not have priviledge to all the above application so some of will have access to only 2 application and some of will have access to 3 and some of the users will have the access for all the 5 application. if a user have priviledge to only 3 application and then if he try to access any other application then he shouldn't even get the access for READ .

So I will have a client application where a end user will validate and depend on his authorize and and then he will get the access to his application (Here Application as in resource server)

Flow

Client Application = A user USER_VISITOR request a access for IT Application (resource server) via client application then it should return a token to get the access for Resource Server(Application for outside user) but if a USER_VISITOR is not authorized for IT Application then he should get a message that you are not authorize to access.

Again if a user as user_admin tries to access then he should have the access to all the application (Resource Server) and user_admin should able to access to its resource server with same token.

I mean USER_VISITOR is a end user.

There will be an application from where a client_user will be validated, authorize and then will ask the token from its authorized resource server via client application (http://localhost:8084/test)

so relation here is.

A end user user_admin can have a access to multiple resource server

    all the 5 resource server ( ***  1) For IT Application,2) For Call

Centre Support 3) Application for Marketing4) Application for outside user 5) Application for Finance ***)

if a end user is from marketing then he can have a access to only 2 resource server ( * 3) Application for Marketing 4) Application for outside user *) But when a marketing person try to ask for a token apart from 2 resource server for which he is not associated then client application shouldn't even generate a token and should return error message.

So a enduser can be associated to many resource server which is one to many.

In existing apis surf oauth we have multiple user(it test client , it test client 2,it test client grant,it test client credential grant)

I am treating all this as user(it test client , it test client 2,it test client grant,it test client credential grant ) .

Treating http://localhost:8084/test as a Client Application.

Treating resource servers as and admin activities on http://localhost:8080/client/client.html .

So my question is how can i give access a end user(it test client , it test client 2,it test client grant,it test client credential grant) to multiple resource server currently it doesnt allow.

Please give me some solution on my problem .

Let me know if I am wrong on oauth apis architecture with your suggestions.

Thanking you alot

On Thu, Feb 5, 2015 at 10:02 PM, Geert van der Ploeg < notifications@github.com> wrote:

Please, format your replies using Markdown. "blue text" won't display when messaging via Github...

You say:

if a client is a admin then he should have acccess to all the apis with read and write scopse , And if a client is marketting or seller guy then he will not have access to all the secured apis and thats the reason i want a client can have access to multiple resource server.

Are you sure about the OAuth concepts here? A client within the OAuth context is not a an end-user, it's an application that requests resources that are owned by a resource owner (only this resource owner is an end user). Of course, a client application can have multiple access tokens for multiple resource owners (in your example the marketing guy or the admin) and should use them if the application wants to do requests. The client application needs a bookkeeping of all access tokens, properly stored by resource owner and resource server.

Access restriction using scopes (read/write vs. only read) is a multi-level thing: a resource server has a set of scopes. A client (client application) can have access to a subset of these scopes. And finally, the client can ask for resource owner consent for a subset of the scopes. If you want a certain client (again, a client application) to have only read access: that's fine, just give the client the read scope for this particular resource server.

Please think this through before trying to implement the feature you think you need.

Hope this helps.

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-73077409.

Regards Anil.Gupta

[gvanderploeg]

You talk about 5 applications, which are the resource servers. That's fine. But what about the client applications. How many actual client applications (not end users) are there involved? Somehow I suspect there isn't any client application in the picture, just end users and resource servers. (For this scenario, OAuth isn't the right solution)

[kumaranilgupta]

Hi,

Well At present my 5 applications are open and its not secured , So I have planned to have one client application where all the users will login from client application and token will be created to access their resource server, and if a user is not associate with some resource then token will not be generated.

If you think oauth is not right solution then how do I secure my 5 application any suggestions would be highly appreciated.

thanx

On Mon, Feb 9, 2015 at 9:01 PM, Geert van der Ploeg < notifications@github.com> wrote:

You talk about 5 applications, which are the resource servers. That's fine. But what about the client applications. How many actual client applications (not end users) are there involved? Somehow I suspect there isn't any client application in the picture, just end users and resource servers. (For this scenario, OAuth isn't the right solution)

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-73527971.

Regards Anil.Gupta

[kumaranilgupta]

Hi,

Well At present my 5 applications are open and its not secured , So I have planned to have one client application where all the users will login from client application and token will be created to access their resource server, and if a user is not associate with some resource then token will not be generated.

If you think oauth is not right solution then how do I secure my 5 application any suggestions would be highly appreciated.

And also let me know if i want to test following client ids then how can i test ,

Client ID : it-test-client-grant

Secret : somesecret-grant Client ID : it-test-client-no-consent-refresh

Secret : somesecret2Client ID : it-test-client

Secret : somesecret

how can i test above client's in application , do i have to test using CURL ???

thanx

On Wed, Feb 11, 2015 at 1:58 PM, anil gupta kumaranilgupta@gmail.com wrote:

Hi,

Well At present my 5 applications are open and its not secured , So I have planned to have one client application where all the users will login from client application and token will be created to access their resource server, and if a user is not associate with some resource then token will not be generated.

If you think oauth is not right solution then how do I secure my 5 application any suggestions would be highly appreciated.

thanx

On Mon, Feb 9, 2015 at 9:01 PM, Geert van der Ploeg < notifications@github.com> wrote:

You talk about 5 applications, which are the resource servers. That's fine. But what about the client applications. How many actual client applications (not end users) are there involved? Somehow I suspect there isn't any client application in the picture, just end users and resource servers. (For this scenario, OAuth isn't the right solution)

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-73527971.

Regards Anil.Gupta

Regards Anil.Gupta

[gvanderploeg]

So I have planned to have one client application where all the users will login from client application and token will be created to access their resource server, and if a user is not associate with some resource then token will not be generated.

Here lies the problem with trying to solve this with OAuth, for the following reasons:

1. Oauth is meant for authorization of client applications, not for authorization of users. The resources that OAuth is about, are owned by the end users. There is no reason to completely deny an end user access to his own resources: they are his! And if he has no resources at a particular resource server then what is he doing with that resource server?
2. OAuth is meant for situations where you want to authorize multiple client applications in a consistent way. If you have only one client application: just use a shared secret (for example HTTP Basic Auth over SSL) to let the client application authenticate itself to each of the 5 applications.
3. Even if you implement OAuth, you still will have to handle authorization (based on group membership/roles, whatever) in the resource server. Imagine this double question "Client app A1 wants to write a particular resource for user U1. Is A1 allowed to? And does user U1 have enough rights to do so?" OAuth is only about the first part (is A1 allowed to). The second part (does user U1 have rights) is a question that the resource server has to answer to be properly secured. Only the resource server knows its own schema of permissions. Of course, you could centralize this, but that is not OAuth's business.

[kumaranilgupta]

Hi ,

Getting following error when i am trying to perform this command.

curl -i -v -H "Authorization: bearer 00-11-22-33" http://localhost:8082

getting below error.

org.codehaus.jackson.map.JsonMappingException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class org.surfnet.oaaas.model.VerifyTokenResponse at [Source: java.io.StringReader@4d5d021; line: 1, column: 1] at org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) at org.codehaus.jackson.map.deser.StdDeserializationContext.wrongTokenException(StdDeserializationContext.java:261) at org.codehaus.jackson.map.jsontype.impl.AsArrayTypeDeserializer._locateTypeId(AsArrayTypeDeserializer.java:100) at org.codehaus.jackson.map.jsontype.impl.AsArrayTypeDeserializer._deserialize(AsArrayTypeDeserializer.java:86) at org.codehaus.jackson.map.jsontype.impl.AsArrayTypeDeserializer.deserializeTypedFromObject(AsArrayTypeDeserializer.java:55)

Please suggest. failing to execute this line verifyTokenResponse = objectMapper.readValue(responseString, VerifyTokenResponse.class);

On Thu, Feb 12, 2015 at 3:46 PM, Geert van der Ploeg < notifications@github.com> wrote:

So I have planned to have one client application where all the users will login from client application and token will be created to access their resource server, and if a user is not associate with some resource then token will not be generated.

Here lies the problem with trying to solve this with OAuth, for the following reasons:

1. Oauth is meant for authorization of client applications, not for authorization of users. The resources that OAuth is about, are owned by the end users. There is no reason to completely deny an end user access to his own resources: they are his! And if he has no resources at a particular resource server then what is he doing with that resource server?
2. OAuth is meant for situations where you want to authorize multiple client applications in a consistent way. If you have only one client application: just use a shared secret (for example HTTP Basic Auth over SSL) to let the client application authenticate itself to each of the 5 applications.
3. Even if you implement OAuth, you still will have to handle authorization (based on group membership/roles, whatever) in the resource server. Imagine this double question "Client app A1 wants to write a particular resource for user U1. Is A1 allowed to? And does user U1 have enough rights to do so?" OAuth is only about the first part (is A1 allowed to). The second part (does user U1 have rights) is a question that the resource server has to answer to be properly secured. Only the resource server knows its own schema of permissions. Of course, you could centralize this, but that is not OAuth's business.

— Reply to this email directly or view it on GitHub https://github.com/OpenConextApps/apis/issues/71#issuecomment-74047296.

Regards Anil.Gupta