Friday, October 16, 2015

JWT's role in WSO2 App Manager

WSO2 App Manager is a fully fledged solution for managing and governing applications in an enterprise.

App Manager 1.0.0 supports web apps and mobile apps, out of the box.

When an existing web app is published through App Manager, all the HTTP requestes to the web app go through the Gateway component of App Manager. This feature enables us to intercept the call and augment a plain web app with authentication, authorization and stat collection etc ..  

In this post, I describe how App Manager can secure an unsecured web app.

App Manager uses SAML and JWT to handle authentication scenarios.

When the gateway receives an HTTP call, it first checks whether the call is coming from an authenticated user. Gateway decides whether a requested is authenticated, by checking either the requested has a valid session associated with it, of the request has a valid SAML response from the trusted identity provider.

If the user is not authenticated he/she will be redirected to the IDP for authentication.

If the user is authenticated, a JWT will be generated, signed by the gateway and sent to the web app along with the SAML response received from the identity provider. 

JWT is a standard to securely share user claims between two parties. In our scenario, gateway is the one who handles authentication on behalf of the web app. So the web app should trust the gateway.

The configuration related to JWT in App Manager, can be found in App Manager documentation

The image below depicts the aforementioned scenario.




When the web app receives the HTTP request, it can read the JWT, which is normally sent as an HTTP header and decode it and use the user information accordingly.

e.g. The web app can extract user information and store it in the user session and use that information give a personalize view for users. 
If the web app developer has to develop the authentication part from the scratch, then it would take more time. But having App Manager in between, reduces that cost.

Decoding a JWT and verifying the signature  needs some coding. But there are a lot of libraries which do that for you. jwt.io is a pretty cool website where you can grab information about different JWT implementations in different languages.

If you are looking for a Java implementation Nimbus-JOSE-JWT is a good option.

I wrote a small Jaggery module to wrap the functionality of the above library.

Below is a code snippet of its usage.

index.jag
=======


var config = require('config.json');
var jwtClientModule = require('/modules/jwt-client.js');
var jwtClient = new jwtClientModule.JWTClient(request, config.jwtClient.headerName, config.jwtClient.certificatePath);

jwtClient.init();

log.debug("JWT = " + jwtClient.jwt);

if(jwtClient.isJWTPresent()){
  include('includes/jwt_login.jag');
}else{
  // Send an HTTP 401
}

   
jwt_login.jag
==========        


authenticateAndAuthorize();

function authenticateAndAuthorize(){

  try{
    jwtClient.parse();

    if(jwtClient.verify()){
      log.debug("Verified the signature of the JWT.");

      var subject = jwtClient.getSubject();
      var issuer = jwtClient.getIssuer();
      var claims = jwtClient.getClaims();

      setSessionAttributes(subject, claims);

      // Implement your authorization logic based on the claim values.

    }else{
      logAndShowError("Authentication failure. Cannot verify the JWT signature.");
    }
  }catch(e){
    logAndShowError("Authentication failure. Something went wrong ", e);
  }

}

function setSessionAttributes(subject, claims){

  session.put("logged-in", "true");
  session.put("username", subject);
  
  var roles = claims.get("http://wso2.org/claims/role");
  if(roles){
    roles = roles.split(',');
    session.put("roles", roles);
  }

}

Wednesday, June 10, 2015

Application / Subscription Sharing in WSO2 API Manager 1.9

How it works


This feature enables the users in the same organization (group) to share the applications and subscriptions. All the applications and subscriptions created by a user in an organization, are visible to the other users in the same organisation.

How does API Manager know the organization of a user ?


WSO2 API Manager Store and Publisher web apps support more than one authentication mechanism. e.g. Authentication via Carbon user stores, SAML based SSO.

As a result, the way the organization of a user should be determined accordingly.

API Manager is shipped with a default implementation for the default authentication mechanism, and API Manager has the flexibility to plug-in a different implementation. 

This article explains how application / subscription sharing can be done with the default implementation.

Enabling application / subscription sharing


Uncomment the following line in APIM_HOME/repository/conf/api-manager.xml
<GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor>

Use case


1) A user and give his/her organization during the signing up process. ( See Fig. 1).
user_a and user_b belongs to org_1



Fig. 1


2) Then the user create a new application. (See Fig. 2)
    user_a creates app_a.


Fig. 2


3) Since user_b also belongs to org_1 he can see the application which user_a created. ( See    Fig. 3)

Fig. 3



4) user_a subscribes to WeatherAPI (See Fig. 4)

Fig. 4



5) Since user_b also belongs to org_1 he can see the subscription to WeatherAPI.
( See Fig. 5)


Fig. 5