App Manager 1.0.0 supports web apps and mobile apps, out of the box.
When an existing web app is published through App Manager, all the HTTP requestes to the web app go through the Gateway component of App Manager. This feature enables us to intercept the call and augment a plain web app with authentication, authorization and stat collection etc ..
In this post, I describe how App Manager can secure an unsecured web app.
App Manager uses SAML and JWT to handle authentication scenarios.
When the gateway receives an HTTP call, it first checks whether the call is coming from an authenticated user. Gateway decides whether a requested is authenticated, by checking either the requested has a valid session associated with it, of the request has a valid SAML response from the trusted identity provider.
If the user is not authenticated he/she will be redirected to the IDP for authentication.
If the user is authenticated, a JWT will be generated, signed by the gateway and sent to the web app along with the SAML response received from the identity provider.
JWT is a standard to securely share user claims between two parties. In our scenario, gateway is the one who handles authentication on behalf of the web app. So the web app should trust the gateway.
The configuration related to JWT in App Manager, can be found in App Manager documentation
The image below depicts the aforementioned scenario.
When the web app receives the HTTP request, it can read the JWT, which is normally sent as an HTTP header and decode it and use the user information accordingly.
e.g. The web app can extract user information and store it in the user session and use that information give a personalize view for users.
If the web app developer has to develop the authentication part from the scratch, then it would take more time. But having App Manager in between, reduces that cost.
Decoding a JWT and verifying the signature needs some coding. But there are a lot of libraries which do that for you. jwt.io is a pretty cool website where you can grab information about different JWT implementations in different languages.
If you are looking for a Java implementation Nimbus-JOSE-JWT is a good option.
I wrote a small Jaggery module to wrap the functionality of the above library.
Below is a code snippet of its usage.
index.jag
=======
var config = require('config.json');
var jwtClientModule = require('/modules/jwt-client.js');
var jwtClient = new jwtClientModule.JWTClient(request, config.jwtClient.headerName, config.jwtClient.certificatePath);
jwtClient.init();
log.debug("JWT = " + jwtClient.jwt);
if(jwtClient.isJWTPresent()){
include('includes/jwt_login.jag');
}else{
// Send an HTTP 401
}
jwt_login.jag
==========
authenticateAndAuthorize();
function authenticateAndAuthorize(){
try{
jwtClient.parse();
if(jwtClient.verify()){
log.debug("Verified the signature of the JWT.");
var subject = jwtClient.getSubject();
var issuer = jwtClient.getIssuer();
var claims = jwtClient.getClaims();
setSessionAttributes(subject, claims);
// Implement your authorization logic based on the claim values.
}else{
logAndShowError("Authentication failure. Cannot verify the JWT signature.");
}
}catch(e){
logAndShowError("Authentication failure. Something went wrong ", e);
}
}
function setSessionAttributes(subject, claims){
session.put("logged-in", "true");
session.put("username", subject);
var roles = claims.get("http://wso2.org/claims/role");
if(roles){
roles = roles.split(',');
session.put("roles", roles);
}
}
