apifest / apifest-oauth20 Goto Github PK

ApiFest OAuth 2.0 Server - API security. The ApiFest OAuth 2.0 Server Java implementation of OAuth 2.0 protocol

Java 100.00%

apifest-oauth20's Introduction

#ApiFest OAuth 2.0 Server and Mapping ApiFest consists of two main parts - the ApiFest OAuth 2.0 an OAuth 2.0 server and the ApiFest Mapping Server.

##ApiFest Mapping Server The ApiFest Mapping Server is for people who have APIs and want to expose them to the world in a safe and convenient way. The ApiFest Mapping Server is used to translate between the outside world and your internal systems. It helps you keep a consistent API facade.

###Features

mappings are described in xml;
can validate and authorize requests using the ApiFest OAuth20 Server;
out-of-the-box flexible mapping options - several versions support, different hosts to which API requests could be directed to;
easy to extend and customize;
customizable error messages and responses;
"online" change of all configurations;
unlimited horizontal scalability;

##ApiFest OAuth 2.0 Server The ApiFest OAuth 2.0 Server implements OAuth 2.0 server side as per http://tools.ietf.org/html/rfc6749. It enables the usage of access tokens in ApiFest Mapping Server.

###Features

register new client app;
generate access token using auth code;
generate access token using username and password - grant_type=password;
generate access token using client credentials - grant_type=client_credentials;
generate access token using refresh token - grant_type=refresh_token;
revoke access token;
validate access token;
pluggable storage (currently supports MongoDB and Redis);
unlimited horizontal scalability;

##ApiFest Mapping Server Quick start: 1. apifest.properties file

Here is a template of the apifest.properties file:

apifest.host=
apifest.port=
apifest.mappings=
apifest.global-errors=
token.validate.host=
token.validate.port=
connect.timeout=
custom.jar=
apifest.nodes=
hazelcast.password=

The path to the apifest.properties file should be set as a system variable:

-Dproperties.file

Setup the ApiFest Mapping Server host and port

The ApiFest Mapping Server can run on different hosts and ports. You can define ApiFest Mapping Server host and port in the apifest.properties file - apifest.host and apifest.port

By default, ApiFest Mapping Server will start on localhost:8080.

Setup mappings

The ApiFest Mapping Server needs information how to translate requests between the outside world and your internal system. That should be done in a mapping configuration file. The mapping configuration file is XML with schema accessible in the project under resources folder - schema.xsd.

Here is an example mapping file:

<mappings version="v0.1">
    <actions>
        <action name="ReplaceCustomerId" class="com.apifest.example.ReplaceCustomerIdAction"/>
        <action name="AddSenderIdInBody" class="com.apifest.example.AddSenderIdInBodyAction"/>
    </actions>
    <filters>
        <filter name="RemoveBalance" class="com.apifest.example.RemoveBalanceFilter"/>
    </filters>
    <backend host="127.0.0.1" port="8080"/>
    <endpoints>
        <endpoint external="/v0.1/me" internal="/customers/{customerId}" method="GET" authType="user" scope="basic">
            <action name="ReplaceCustomerId" />
            <filter name="RemoveBalance" />
        </endpoint>
        <endpoint external="/v0.1/me/friends" internal="/customers/{customerId}/friends" method="GET" authType="user" scope="basic">
            <action name="ReplaceCustomerId" />
        </endpoint>
		<endpoint external="/v0.1/users" internal="/users" method="GET" authType="user" scope="basic">
            <customProperties>
                <entry>
                    <key>com.name.project.package.RequiredAccessRights:value</key>
                    <value>VIEW_USERS,MANAGE_USERS</value>
                </entry>
            </customProperties>
		</endpoint>
        <endpoint external="/v0.1/countries/{countryId}" internal="/countries/{countryId}" method="GET" authType="client-app" varExpression="\w{3}$" varName="countryId"/>
        <endpoint external="/v0.1/mobile-auth/{mobileId}" internal="/mobile-auth/{mobileId}" method="GET" authType="user" varExpression="\d{6,15}$" varName="mobileId"/>
        <endpoint external="/v0.1/mobile-auth/{mobileId}" internal="/mobile-auth/{mobileId}" method="POST" authType="user" varExpression="\d{6,15}$" varName="mobileId"/>
    </endpoints>
    <errors>
        <error status="404" message='{"error":"resource not found"}' />
        <error status="405" message='{"error":"method is not allowed on that resource"}' />
        <error status="500" message='{"error":"ops...something wrong"}' />
    </errors>
</mappings>

XML specific tags explained:

version - is the version of your API this mapping file describes
actions - defines actions with name and class
filters - defines filters with name and class
backend - defines where your API is running, requests should be translated to that backend
endpoint - is a mapping between outer ednpoint and your API endpoint;
external - the endpoint visible to the world;
internal - your backend endpoint;
method - HTTP method;
scope - scope(s) of the endpoint;
authType - user for tokens obtained with user credentials, client-app for tokens obtained for client application;
action - defines action that will be executed before requests hit your API;
filter - defines filter that will be executed before responses from API are returned back;
varName - the name of the variable/s used in internal/external path (space delimited);
varExpression - regular expression (Java format) for varName (space delimited);
error - customize error responses - status attribute value defines the HTTP status for which message attribute value will be returned;
customProperties - defines properties specific to the endpoint

You can define as many mapping configuration files as many versions your API supports. The ApiFest Mapping Server will get all mappings files from the directory defined in the apifest.properties as

apifest.mappings

Setup Global errors

The ApiFest Mapping Server enables you to customize the error responses that are not related to a specific mapping configuration. For instance, when there is no mapping for a resource the default ApiFest Mapping Server response for 404 Status Code will be returned:

Status Code HTTP 404 Content-Type application/json {"error":"Not found"}

You can customize the content of that response using an XML file that describes your custom global errors. Here is an example file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<global-errors>
  <error status="401" message='{"error":"unauthorized"}'/>
  <error status="404" message='{"error":"resource not found"}'/>
</global-errors>

Using that customization, the response content when a resource is not mapped will be '{"error":"resource not found"}'. In order to setup errors customization in ApiFest Mapping Server, you should set the path to the configuration file in apifest.properties file as

apifest.global-errors

Setup token validation host and port

If access token is required for an endpoint, first it should be validated. The host and port where the ApiFest OAuth 2.0 Server runs are set by the following properties in the apifest.properties file -

token.validate.host and token.validate.port

Setup connection timeout

In order to setup connection timeout(in ms) to the backend, use the following property in the apifest.properties file -

connect.timeout

If you have custom request/response transformations, then you can set the path to your jar with transformations by the following property:

custom.jar

As ApiFest configurations are stored in distributed cache, you need to setup all other nodes (as comma-separated list of IPs) on which the ApiFest Mapping Server is running. To do that use the following property in the apifest.properties file -

apifest.nodes

As Hazelcast is used as a mapping configurations storage, you can set a password that will be used when Hazelcast is started in the ApiFest Mapping Server (otherwise the default Hazelcast password - dev-pass will be used). To set a password use the following property in the apifest.properties file -

hazelcast.password

3. Start the ApiFest Mapping Server

You can start the ApiFest Mapping Server with the following command:

java -Dproperties.file=[apifest_properties_file_path] -Dlog4j.configuration=file:///[log4j_xml_file_path] -jar apifest-0.1.0-jar-with-dependencies.jar

When the server starts, you will see: ApiFest Mapping Server started at [host]:[port]

apifest-oauth20's People

Contributors

Stargazers

Watchers

apifest-oauth20's Issues

Update client app status

By default when a client app is registered its status should be "disabled". A service that updates the status to "enabled"/"disabled" should be implemented.

Add scope validation that checks it doesn't contain space

Add scope validation that checks it doesn't contain space. That is required because space is used as scope delimiter.

When GET /oauth20/scopes/ and /oauth20/applications with non-existing scope/clientId return HTTP 404

Add lifecycle events handlers

Increase the length of clientId generated

Add Hazelcast as a supported storage

Add Hazelcast as a supported storage.

Add appropriate messages when JSON is not valid or input validation does not pass

Add appropriate messages when JSON is not valid and input validation does not pass.
Add the following fields validation:

status in /oauth20/applications must be integer
cc_expires_in, pass_expires_in and refresh_expires_in in /oauth20/scopes must be integer

Add service delete application

Implement functionality that deletes a client application.

Add service delete scope

Return redis connection to pool when registering scopes and updating client applications

At present when using a redis token storage the redis connection is not returned to the driver pool. This causes connection leakage.

Add property for hazelcast password (when Hazelcast storage is used)

Add property for hazelcast password - hazelcast.password. The password will be used when Hazelcast is started in the ApiFest OAuth 2.0 server and Hazelcast is used as a storage.

Improve performance of reading json requests

Reuse the same instance of ObjectMapper instead of creating a new one on every call.

Do not first convert the body of a request to a String to only call ObjectMapper.readValue(String, Class). Rather we can just wrap the ChannelBuffer into an input stream and call ObjectMapper.readValue(InputStream, Class). This way we would avoid unnecessary operations.

Client app scope should be updatable

Client app scope should be updatable. If a client application is registered with one scope, later it could be changed or another scope could be added.

Add application parameters to client_credentials tokens

Sometimes when an application is registered, the parti that register the application in the OAuth server needs to associate specific state with it.
For example a company, that issues a clientId and a client secret to a customer might need to map a token fetcheed using those credentials to an internal ID.
The propesed solution works as follows:

Create a new application supplying an attribute "application_details" to POST /oauth20/applications. It's a JSON object.
When you validate a token issued against the clieentId/client secred of the application, the object you supplied when creating the application, will be returned back to you.

Return same client application info on GET /oauth20/applications and GET /oauth20/applications/{client_id}

Support for outer Hazelcast cluster

Hazelcast might not be started in ApiFest OAuth server itself but an outer Hazelcast cluster might be used.

Add support for scope when issue an access token with grant_type=authorization_code

Add support for TLS/SSL

NIO Sockets make this a non-trivial task but there is already an example in netty-3.10.4.Final/src/main/java/org/jboss/netty/example/securechat.

Issue client app password that will be used for Basic Authorization

Store additional details associated with an access token

Store additional details associated with an access token. That functionality is not mandatory but it's good to have when a client application needs to link some user information to user access token.

Invalidate access tokens when the corresponding client app is deactivated

Change error message when trying to obtain access token for inactive client app

Change error message when trying to obtain access token for client app that is not active

Read client_id and client_secret from request body of POST /oauth20/tokens/revoke

Add client app additional details in GET /oauth20/applications response

Read alternatively client_id from Basic Authorization header

Read alternatively client_id from Basic Authorization header for /oauth20/tokens and check password is assigned to that client app.

Search tokens by user and client application

The ability to find out tokens by user & client id should be added.

Validate the submitted cliend_id and client_secret and return a correct message upon validation

Validate the submitted cliend_id and client_secret and return a correct message upon validation.
Currently there is a missing validation for registering new applications and a present validation in activating application returning "Not found" message.
The validation with a correct message should be implemented upon:

Registering a new client application with pre-generated client_id/client_secret.
Activating the application.

Cleanup startup config

Cleanup startup config. Start the application even if no properties file is set, use default config.

Make refresh token expires_in configurable

Make refresh token expires_in configurable. The configuration will be associated with scopes. If several scopes are set to a client app the maximum expires_in will be used for refresh tokens. If no expires_is is set, then pass_expired_in from the scope will be used.

When client_id or client_secret is missing on POST /oauth20/tokens, return "mandatory parameter client_id/client_secret is missing"

When client_id or client_secret is missing on POST /oauth20/tokens, return "mandatory parameter client_id/client_secret is missing". Currently, the following error is returned: "invalid client_id/client_secret".

When DELETE a scope that is already assigned to a client application, return 400 Bad Request

Currently, the HTTP Status code returned is 200 OK instead of 400 Bad Request.

Authentication response may be custom one - if user authentication requires more details as a subsequent step

Add status filter to client applications resource

Add status filter to client applications resource
/oauth20/applications?status=1 - will return all active client applications
/oauth20/applications?status=0 - will return all inactive client applications

Add Content-Type header on error response

Add Content-Type header on error response. Currently, some error responses miss Content-Type header.

Check Content-Type is application/x-www-form-urlencoded on POST /oauth20/tokens

Check Content-Type is application/x-www-form-urlencoded on POST /oauth20/tokens. If the Content-Type is not application/x-www-form-urlencoded, return {"error":"unsupported media type"}.

Add support for custom grant_type

Add support for custom grant_type.

Add custom user authentication

User authentication could be customizable - the users of ApiFest product could implement their specific user authentication. Instead of user authentication endpoint property, the path to the JAR that contains the specific implementation will be set and the class that implements the interface for user authentication.

Add cache for scopes

As scopes are not updated so often, they could be cached.

Add startup script

Change the HTTP status when an access token revocation is not successful

When an access token is revoked but the operation fails, the current response is:
Status Code: 200 OK
Content-Type: application/json
{"revoked":"false"}

The HTTP status should be different from HTTP 200 OK.

Fix resolving oauth20.host in Hazelcast configuration

Fix resolving oauth20.host in Hazelcast configuration.

redirect_uri should be optional in case of auth code generation

redirect_uri should be optional in case of auth code generation. When no redirect_uri query parameter is passed, then the redirect_uri of the client application should be used.

Getting Maven Install Issue

Hi ,

Need your assitance I am trying to install apifest-oauth20 and getting below error please suggest for fix.

Failed to execute goal on project apifest-oauth20: Could not resolve dependencies for project com.apifest:apifest-oauth20:jar:0.1.3-SNAPSHOT: Failure to find com.apifest:apifest-oauth20-api:jar:0.1.2 in http://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1]

Regards
Anil

Add Content-Length header even if the response is empty

Add Content-Length header even if the response is empty.

Add exception event handlers

Add interface for exception event handlers in ApiFest OAuth20. The custom exception event handlers should be invoked on any exception thrown in the application for a better monitoring of the app. These custom event handlers may log the errors, emit some events or whatever the ApiFest OAuth20 developers need.

client_secret
REQUIRED. The client secret. The client MAY omit the
parameter if the client secret is an empty string.
"

apifest / apifest-oauth20 Goto Github PK

apifest-oauth20's Introduction

apifest-oauth20's People

Contributors

Stargazers

Watchers

Forkers

apifest-oauth20's Issues

Recommend Projects

Recommend Topics

Recommend Org