I'm using IdentityServer 4 and I wish to allow Resource Owner flow but only for a client with a specific IP address. How can I configure it?
You can simply inject the IHttpContextAccessor into your resource owner validator. This will give you access to the HTTP request.
This way you can check the IP address.
Related
My MVC client's access token contains an "idp" claim that my simple server-to-server client's token doesn't. I don't explicitly request idp on either clients, so where is this claim coming from? I thought it was part of "openid", and since it is available by default to MVC client, you don't need to request it, but I couldn't find any documentation/specification that confirms it. By the way, I am unable to add the openid scope to my serer-to-server client, as I am getting "invalid scope" error when I do that. What I am trying to do here is to get the "idp" claim into the token for my server-to-server client as well, but not sure if that's possible. Can someone point me to the right direction?
When you do server to server communication using the client-credentials flow, there is no user involved and hence the openid scope has no purpose. As its core purpose is to ask for the subject claim (the user Id).
The idp claim is not part of any scope and is usually added by IdentityServer.
Why do you neeed the idp claim? Your API and client both trusts the shared IdentiyServer.
idp claim in Identityserver stands for external identity provider (such as Google). That's why it does not have any sense when you request a token from your local IdP with "service_credentials" flow. If you are interested in the info about the token's issuer, just use iss claim instead. If you are sure you need the idp (or any other custom) claim in each and every token, you can involve a custom ClaimsService as I explained in my previous answer.
I have a httpd front end server which will authenticate users using openidc and associate JWT to the incoming request if the authentication is successful. Post this the request will reach the desired REST service, which is defined using Apache Camel CXF.
Now I need to deny/permit this user to the requested service based on certain permissions. How do i do that ?
Typically the established user session would contain claims about the user provided by the OpenID Connect Provider. Those claims can be used in mod_auth_openidc specific Require directives e.g.:
Require claim email:joe#example.org
For more information see: https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization
I am using client credentials flow to generate an access token. Following is the request.
I received the access token and I am using to call Web API like
https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages
Following is the screenshot
Calling Web API gives InvalidAuthenticationToken Error.
Any workaround on this.?
You're resource should be set to https://graph.microsoft.com.
In your screenshot, theresource is set to https://outlook.office.com but you're calling a Microsoft Graph. Since you're providing an access_token for a different resource, Microsoft Graph is rejecting it.
You also need to make sure you've requested the proper Microsoft Graph permissions in the Azure Portal. To call /mailFolders/inbox/messages for example, you need request permission for either Mail.Read or Mail.ReadWrite.
Finally, you cannot use /me with the Client Credentials grant. The /me is simply shorthand for /users/{current-user-id}/. Since Client Credentials does not have a current user, the API has no idea which user me is. You will need to reference a specific user entity in the path:
/v1.0/users/{userPrincipalName}/mailfolders/inbox/messages
I'm trying to setup a reverse proxy that requires authentication against an OpenID Connect Identity Provider.
The User then grants the reverse proxy access to his data.
Some applications behind the proxy are only accessible by the user if he is the member of specific LDAP groups. Sadly the applications are the dump and cannot authorize themselves, so the reverse proxy must handle that part.
It wasn't so hard to setup the authentication part with mod_auth_openidc. What I struggle with is the authorization part. I have a working example with mod_authnz_ldap that requires username and password over BasicAuth.
The idea with OpenID Connect is that Resource Server (the proxy in my case) will never know the user's password and does not have to check it. That is delegated to the OpenID Connect Identity Provider.
So I don't have the password needed for this approach. My idea was to create a virtual host with oidc auth that refuses some header like x-my-oidc-username from clients, sets this header once authenticated and passes the request to another vhost binding on 127.0.0.1 so it cannot be accessed directly bypassing authentication. That vhost just takes the header as the authenticated username and runs the LDAP authorization.
I haven't seen a way to just skip the Authentication Phase of the ldap module and take the username from somewhere else like the OpenID Connect ID Token or from my custom header.
Any ideas/suggestions/approaches/tips?
There's an article that shows how to combine mod_auth_openidc and mod_authnz_ldap here:
https://github.com/pingidentity/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap:
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <client_id>
OIDCClientSecret <client_secret>
OIDCRedirectURI http://example.com/example/redirect_uri
OIDCScope "openid email profile"
# Set REMOTE_USER to the email address.
# this is the value that mod_authnz_ldap leverages as the first parameter after basedn.
# in the example below, REMOTE_USER = email = mail attribute in LDAP.
OIDCRemoteUserClaim email
<Location /example/>
AuthType openid-connect
AuthLDAPURL "ldap://example.com/ou=people,dc=example,dc=com?mail?sub?(objectClass=*)"
AuthLDAPGroupAttribute member
Require ldap-group cn=myTestAccesss,ou=Groups,dc=example,dc=com
</Location>
I am trying to access emails of an email address in custom domain(my.name#example.com) in google apps. I created service account but I get following error message when trying to read e-mails:
Error:"unauthorized_client", Description:"Unauthorized client or scope
in request.", Uri:""
I found that I have to delegate domain-wide authority to the service account. According to my understanding, after delegating, the service account will have access to all e-mail addresses in the domain(eg; john#example.com, sam#example.com ...). Is my understanding correct. If yes, is there a way that service account has access (can be impersonated) to only one e-mail address in the domain?
Have you authorized the Client Name and the API scopes in the GSuite admin console? It is required for the service account to work and the error you received seems to be related to the API access permissions.
More info at:
https://support.google.com/a/answer/162106?hl=en