问题
We have a vendor supplied solution that requires a username and password to utilize their APIs exposed as a web service. They are to be included in the actual xml of the call. We obviously don't like that.
Does anyone know of any product, system, whatever, that we can have calling systems authenticate to with token based security, which would then inject the username password and forward the request in a secure zone accessible by the product but not the outside callers. And of course return the response through.
For example:
回答1:
The Authentication/Proxy service has a name - Security Token Service (STS). oAuth token exchange working draft has a good summary of STS and its purpose:
A Security Token Service (STS) is a service capable of validating security tokens provided to it and issuing new security tokens in response, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains.
Web Service clients have used WS-Trust [WS-Trust] as the protocol to interact with an STS for token exchange. While WS-Trust uses XML and SOAP, the trend in modern Web development has been towards RESTful patterns and JSON. The OAuth 2.0 Authorization Framework [RFC6749] and OAuth 2.0 Bearer Tokens [RFC6750] have emerged as popular standards for authorizing third-party applications' access to HTTP and RESTful resources.
The conventional OAuth 2.0 interaction involves the exchange of some representation of resource owner authorization for an access token, which has proven to be an extremely useful pattern in practice. However, its input and output are somewhat too constrained as is to fully accommodate a security token exchange framework.
Most STSes (incl. the type specified by oAuth token exchange draft) do not deal with heterogeneous tokens as your use case requires beyond, say, oAuth to SAML or vice versa. The solution to your use case is most likely going to involve a custom-coded STS. We've implemented STSes that translate oAuth/SAML to anything (e.g. SOAP with a custom credentials header like yours) for our clients using a variety of products/stacks/platforms/etc.
We often use Salesforce as the platform, it provides a lot of plumbing that helps with this use case. To be fair, similar plumbing is available in quite a few platforms and stacks - from the big 3 (AWS/GCP/Azure) to Java/Python/Ruby/Node/Go with appropriate libraries to identity & access management products such as Keycloak.
回答2:
I would go for the @identigral STS proposal. As @identigral mentioned, the recommendation is to use some Identity Management (IdM) such as Keycloak to provide the OAuth 2.0 tokens and in the near future convince your vendor to use some IdM. To see an example on how to generate Keycloak tokens check this repo and also this Stackoverflow question. For your use case I see three possible solutions:
If you are developing things with Java I would go for an API Gateway such as Netflix Zuul. Spring framework supports Zuul and apply OAuth 2.0 tokens to Zuul is a very good option. For the config part again Spring provides Cloud Config to store global configuration for your component and it can be easily connected with Zuul.
Use some commercial tool such as Google Apigee. Take a look at it, everything described in point 1.) can be configured using Apigee at an API level covering multiple programming languages.
You can also use a reverse proxy as Proxy API Gateway with Security such as Nginx or Traefik.
Any solution can be good for you, it depends on your specific use case.
来源:https://stackoverflow.com/questions/57998499/proxy-security-service-for-web-service-requiring-uname-password-in-the-request