apigee / microgateway-edgeauth Goto Github PK

License: Apache License 2.0

JavaScript 100.00%

microgateway-edgeauth's Introduction

edgemicro-auth

edgemicro-auth is an open source project that implements the edgemicro-auth Apigee Edge proxy.

When configuring Apigee Edge Microgateway (please refer to docs here), an Apigee Edge proxy called edgemicro-auth gets install on the org and environment.

The edgemicro-auth proxy provides four functions:

Provides a list of all products in the org (/products)
Provides a signed JWT if the API Key is valid (/verifyApiKey)
Provides the public key that can be used to validate the JWT (/publicKey)
Generates an access token, which is a signed JWT. Supports client_credentials grant type (/token)

Purpose

The original implementation is node.js implementation which leverages volos plugins and Apigee a127. If no customizations are needed, then this implementation works just fine. Customizations that users frequently ask for include:

Include additional/custom claims to JWT
Support for other grant types
Support for refresh tokens
Set custom expiry on tokens

Some of these customizations would have been been possible by modifying the node.js implementation, this project reimplements the edgemicro-auth the ENTIRE implementation using Apigee Edge policies. In addition to a 1:1 implementation, the customizations mentioned above are also implemented.

Support

This is an open-source project of the Apigee Corporation. It is not covered by Apigee support contracts. However, we will support you as best we can. For help, please open an issue in this GitHub project. You are also always welcome to submit a pull request.

Certificate management and Setup

The original implementation of of edgemicro-auth uses Apigee's secure storage. However, this implementation uses KVM entries to store public-key and private-key. The proxy expects a mapIdentifier called 'microgateway' Contained within the 'microgateway' is one entry called 'publicKey' with the RSA public key and one entry called 'privateKey' with one entry called 'privateKey'

Customizations

How do I set custom expiry?

In the flow named 'Obtain Access Token' you'll find an Assign Message Policy called 'Create OAuth Request'. Change the value here

<AssignVariable>
    <Name>token_expiry</Name>
    <Value>300000</Value>
</AssignVariable>

How do I add or modify claims?

The "Obtain Access Token" flow has a assign message policy called "Add Custom Claims". This policy is disabled by default. After enabling the policy, you can add claims inside the policy. Here is a sample:

    <AssignVariable>
        <Name>claims</Name>
        <Value>{"claim1": "abc", "claim2": "efg"}</Value>
    </AssignVariable>

The claims must be set as a JSON (stringifyed) in the claims variable.

How can I get refresh tokens?

The OAuth v2 policy supports password grant. If a request is sent as below:

POST /token
{
  "client_id":"foo",
  "client_secret":"foo",
  "grant_type":"password",
  "username":"blah",
  "password": "blah"
}

If valid, the response will contain a refresh token.

How do I refresh an access_token?

Send a request as below:

POST /refresh
{
	"grant_type": "refresh_token",
	"refresh_token": "foo",
	"client_id":"blah",
        "client_secret":"blah"
}

If valid, the response will contain a new access_token.

What grant types are supported?

client_credentials, password and refresh_token Users can extend the Apigee OAuth v2 policy to add support for the remaining grant types.

Support for JSON Web Keys

Microgateway stores private keys and public keys in an encrypted kvm. The proxy exposes an endpoint '/jwkPublicKeys' to return public keys as JWK.

Support for "kid" - Key Identifiers. If the KVM includes a field called 'private_key_kid' (value can be any string), the JWT header will include the "kid"

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "1"
}

* The "kid" can be leveraged during validation of the JWT (not yet implemented in microgateway)

Release Notes

v2.4.13 - 3/1/19 Bug Fix: Improve character escaping for JSON formatting

microgateway-edgeauth's People

Contributors

Stargazers

Watchers

microgateway-edgeauth's Issues

How to enable HS256 algorithm instead of RS256, which is default?

We would like to use HS256 alg with JWT, would this customization possible?

Security Policy violation Binary Artifacts

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

apiproxy/resources/java/micro-gateway-products-javacallout-2.0.0.jar

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Allstar has been installed on all Google managed GitHub orgs. Policies are gradually being rolled out and enforced by the GOSST and OSPO teams. Learn more at http://go/allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Do I need this policy if I am using edgemicro in private cloud?

I am using an apigee private cloud and this is pointing at the public cloud so does this get used should I be pointing it at my
var url = context.getVariable("virtualhost.aliases")[0]; or is just never used so it dossnt matter?

Authenticate Call {request.header.Authorization} GET /edgemicro/authenticate/organization/{organization.name}/environment/{environment.name} false calloutResponse https://edgemicroservices.apigee.net

Request headers are getting terminated in obtain and refresh access token flows

We created shared flow as CORS and enabled at post proxy level.
For edgemicro auth, the request headers are not getting populated to response flow. Only content type header is getting passed.

In trace, found out that
during createOuath request and create refresh request, we are creating new requests and ignoring the original request headers. Becuase of these other origin headers are not getting populated in response

And Access-Control-Allow-Origin is coming as empty.
Please fix it

Jwk keys having null value causing applications to fail

Moved certificatelist.keys.push(jwk2); inside if block.

Currently the token is coming as for https://org.apigee.net/edgemicro-auth/jwkPublicKeys

{"keys":[{"kty":"RSA","n":"2sGxMwDQV-1tm_lCmO5B9xsicQjQxUJY8Ww","e":"AQAB","kid":"1","alg":"RS256","use":"sig"},null]}

Second Public key if not present is coming as null.

This null is causing few of the external applications to fail.

To remove that I moved the above line to inside if block

I raised a pull request #39

@keyurkarnik @srinandan Please review

In accesstoken response, expires_in coming as string instead of number

As per spec https://tools.ietf.org/html/rfc6749#section-4.1.4 shows an integer, not a string.
and rfc6749 section 5.1 notes:

Parameter names and string values are included as JSON strings.
Numerical values are included as JSON numbers. The order of
parameters does not matter and can vary.

Changing expires_in to be as number

Raised a PR #47 to fix this

@keyurkarnik @gaonkar18y

Content type for publicKey

The jwt_publickey_url set the content type as text/html. This should be set to application/x-pem-file