search

oroinc / platform

Main OroPlatform package with core functionality.
Other
628 stars 351 forks source link

JWT Authentification for ORO Api #635

Open Kshapova opened 7 years ago

Kshapova commented 7 years ago

Hi

I need to replace WSSE API Authentification and add JWT Authentification (with IdToken).

I created a new bundle and added a new JWT firewall 

        api:
            pattern: ^/api
            provider: jwt
            stateless: true
            anonymous: false
            guard:
                authenticators:
                    - app.jwt_token_authenticator
                entry_point: app.jwt_token_authenticator
            context: main

It works fine with the API. But API in ORO js files always need WSSE Authetification. (For exemple in TagBundle when you add a Tag to the Entity: API POST /api/rest/{version}/tags/{entity}/{entityId} )

I added the 2nd firewall for WSSE Api 

        api_wsse_secured:
            pattern: ^/api/rest/latest/(tags|activities|relation)
            # @todo: should be enabled in scope of BAP-11128
            # stateless:  true
            wsse:
                lifetime: 3600
                realm:    "Secured API"
                profile:  "Use

Is this a good idea? Did anyone have the same situation with double API authentification ?

mkudelya commented 7 years ago

Hi @Kshapova

Thank you for your comment!

I have recently installed and configured LexikJWTAuthenticationBundle on versions 1.10.14 and 2.0.1 using this manual and tried to add some tags to a user from the UI, after which I received the following response:

{"code":401,"message":"JWT Token not found"}

As this behavor is unusual, we will investigate the issue. As I understand, you are using 1.10 version, am I correct? Could you let me know if you had any customizations done for your instance?

For now, I suggest that you upgrade to version 2.0 as a lot of issues with API firewalls have been fixed.

Kshapova commented 7 years ago

Hi @mkudelya

Yes I am using 1.10 version and I'll upgrade to version 2.0.

We have SSO Gluu connection. This system generate JWT Token and we use it in the header API call, We don't use ORO API Key.

Exemple 

GET /api/rest/latest/services HTTP/1.1
Host: xxx-yyy.com
Authorization: Bearer <JWT TOKEN>
Accept: application/json
mkudelya commented 7 years ago

Hi @Kshapova

Thank you for reporting the issue! We greatly appreciate all contributions to Oro projects.