Wednesday, 20 May 2020

JWT Token Authorization


We can allow user to access application using multiple security configurations.  Basic authentication is a simple and commonly used security configuration.  Wherein users will be authenticated using user name password.

Next authorization method which is used to access applications is JWT token. Jason Web Token are encoded as a JSON object and that are digitally signed using JWS - Jason Web Signature.  These token can also be encrypted using JWE - Jason Web Encryption.

As I mentioned, these are encoded , signed and/or encrypted tokens. Basic format of JWT token is as follows.

    • Header
    • Payload
    • Signature


Header:

{
  "alg": "RS256",
  "typ": "JWT",
   "x5t": "ZZAMNA+cVwqRM7J4vn3KIoqdk2w"
}


alg -  Algorithm used to sign or encrypt JWT.
typ: Contetnt
x5t:  base64 encoded public certificate fingerprint . Use following command to get the fingerprint or thumbprint.
            openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]


Payload:

 {
     "userId":"vijayakv",
     "iss": "https://provider.domain.com/",
     "sub": "auth/some-hash-here",
     "exp": 153452683
 }


 {
"iss": "www.oracle.com",
"prn": "vijayakv",
"iat": 1518071154,
"exp": 1518081154
}

prn/userId:  Application User which has required access.
exp: Token Expiry time
iat: Issued At
nbf: not before

There are two ways to configure JWT .

  1.  Client generated JWT tokens.  Client is responsible for the security. 
  2. Identity provider generated JWT token.  IDCS/OKTA etc.

Following steps will highlight how the Identity provider JWT token will work. 
  •  User will call Identity provider REST API to get the token using User Name and Password. 
  • Provider will generate the token and send it. 
  • User will use the token to call the Service API. 


Following Steps will highlight how the client generated JWT token will work. 
  • Client will generate the SSL certificate and provide the public key to identity provider. 
  • Identity provider will configure the certificate and Issuer - ex: www.oracle.com 
  • Client will generate the JWT token in the above mentioned format. 
  • Client will encode the header and Payload part. 
  • Client will encode the public certificate 
  • Client will sign the JWT token using private key -- SSL private key. 
HMACSHA256( base64UrlEncode(header) + "." +  base64UrlEncode(payload),  secret)



After generating the token , client will call the application API using signed JWT token.

Identity provider will decode and verify signature using configured public key/certificate.  If it matches the configured key and issuer then it authorize the user to access the application.


JWT using Python Example :

>>> pip install pyjwt
>>> pip install cryptography
>>> import jwt
>>> private_key = open('secret-key').read()
>>> token = jwt.encode({'user_id': 123}, private_key, algorithm='RS256').decode('utf-8')
>>> token


Note: 

The generation of a signed JWT requires the use of a private (asymmetric algorithm)  or secret key (symmetric algorithm).  You will use Public key to verify the JWT which is signed using Private Key.

The cert is just a way to bind a name to a public key. A certificate is a digital document that says "Entity A is the owner of publickey xyz", and that digital document is signed by a signing party. Usually you trust the signing party.

Depending up on the signing algorithm , your server will decode (It wont require any keys) and VERIFY the keys sent in the token.

Server will extract the public key from the certificate and validate with the private key that was used to sign the JWT token


Wednesday, 13 May 2020

OWSM - Basic Understandings

  • Oracle provides a security framework called Oracle Web Service Manager to secure the services across your organization. 


    • We can use OWSM policies to secure 
      • ADF Services.
      • Web Services.
      • RESTFull Services.    



  • Before we use OWSM policies , we need to install OWSM on weblogic server. 
  • OWSM provides Client and Service policies to protect and invoke your secured services. 
  • Service policies are used to secure your exposed services. 
  • Client policies are used to invoke the secured services. 
  • Some of the basic authentication policies are
    • Policy - 1

                             oracle/http_basic_auth_over_ssl_service_policy
                             oracle/http_basic_auth_over_ssl_client_policy

                          This is an authentication only policy for both SOAP and REST service. 

    • Policy -2 

                              oracle/wss_http_token_client_policy
                              oracle/wss_http_token_service_policy

                         This is an authentication only policy for SOAP. It  support transport  authentication. 

    • Policy -3
                           oracle/wss_username_token_client_policy
                            oracle/wss_username_token_service_policy

                          This is an authentication only policy for SOAP. It  support SOAP authentication. 

    • Policy -4 
                               oracle/wss_http_token_over_ssl_client_policy
                               oracle/wss_http_token_over_ssl_service_policy

                      This policy is used authentication as well as message protection . It support transport  authentication.  This will use SSL protection.  Communication happens via HTTPS  port.

    • Policy -5
                             oracle/wss_username_token_over_ssl_client_policy
                             oracle/wss_username_token_over_ssl_service_policy
 
                         This policy is used authentication as well as message protection . It support SOAP     level authentication.  This will use SSL protection.  Communication happens via HTTPS  port.

  • Oracle provide SAML authentication policies for web service.  
  • For more details on other policies refer following oracle link. -  OWSM Policies


Note: 

    If your application is not configured with OWSM then you can use basic authentication to access the services protected using OWSM policies. 

Example : 

      Python :
                     
                   creadentials = base64.encodestring('%s:%s' % (username, password))[:-1]
                   authorization = "Basic %s" % creadentials

     .NET :

              request.Method = "POST";
             request.ContentType = "text/xml;charset=UTF-8";
             request.ContentLength = byteArray.Length;
             request.Headers.Add("Authorization", "Basic " + credentials);