Відео

Glad it helped! Please like, share & subscribe!!!

Can you share some details about Authentik? I have never used that in past.

@@securityinaction1018 like sign up and sign in api and storing details in Idp

I have not tried, but it should work as long as react native app has OIDC / OAuth2 support. Please like, subscribe & share this video / channel !! Thanks in advance.

I guess some settings might have changed in the latest update. I know IAM Identity Center redesigned their entire UI after I recorded this video. I will try to check it again and let you know if I am able to simulate this issue.

Glad it helped!! Please like, subscribe & share this video / channel !! Thanks in advance.

In the case of REST APIs, you need to build a custom lambda authorizer docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html Or other option is to use Cognito user pools which has a built-in integration with API GW docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html Please like, subscribe & share this video / channel !! Thanks in advance.

Glad it helped!! Please like, subscribe & share this video / channel !! Thanks in advance.

Sure, I will consider making the code available on GitHub. Please like, subscribe & share this video / channel !! Thanks in advance.

Thanks for the prompt reply my comments.One thing please I am not find in Okta Application tab to create the oid connect link there are lots of tab available please can you help we here will be go to create the this details your reply will be very helpful to everyone.

While Creating the app itself, you can select "OIDC - OpenID Connect" in "Create a new app integration" screen

@@securityinaction1018 Now current day the Okta Web page has been changed and we are not find where it is OIDC is create, please help ,your prompt response will be very apricated.

I am not really sure because when I login to my Okta developer account, I see that option. Okta docs help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm also matches with my screens

Sure, I will try my best. Thank you for the feedback

Thank you !! Please like, subscribe & share this video / channel !! Thanks in advance.

You can use the OIDC PKCE Authorization code grant flow for mobile apps. Refer docs.aws.amazon.com/cognito/latest/developerguide/using-pkce-in-authorization-code.html

Thank you. Unfortunately, there is no straightforward solution for this issue. It is also reported in Microsoft forums learn.microsoft.com/en-us/answers/questions/1461073/saml-single-sign-out-http-post-binding As of now, the only option is to add some proxy UI between Cognito and AzureAD for the single logout scenario. Please like, subscribe & share this video / channel !! Thanks in advance.

@securityinaction1018 so receive Get call from EntraAD and post it back to AWS cognito using https post?

This needs to be tested and see if it works. I was thinking of a proxy which receives the SAML logout request from Cognito and posts it to AzureAD, receive the SAML logout response from AzureAD and post it back to Cognito. I don't know what challenges we might come across and this needs to be tested to see if it is even feasible.

In general, "Unauthorized" error means client ID / secret used for Google login is wrong. Please verify that and test it again. Please like, subscribe & share this video / channel !! Thanks in advance.

Sure, I will consider that.

Users can self-register or you can use APIs to create user in a user pool. If you can share more details on the exact scenario, I will try my best to provide a solution. Please like, subscribe & share this video / channel !! Thanks in advance.

Angular App can redirect to Cognito which in turn will redirect to AzureAD for authentication. Angular App to Cognito will be a OpenID Connect (OIDC) integration. Please like, subscribe & share this video / channel !! Thanks in advance.

There are many Add ons in Firefox. Try this one addons.mozilla.org/en-US/firefox/addon/cookie-remover/

You can use same OIDC with mobile app. Mobile app needs to open a browser where user can login and then redirect back to mobile app. But, I think Google, Apple supports some native sign-in options which I have not explored much.

I don't remember testing with Auth0. I remember testing with Cognito and it worked fine. We can't validate if ALB is getting the refresh token. But, you can check the Auth0 logs to see if token endpoint is getting called by ALB after the access token expires. Please like, subscribe & share this video / channel !! Thanks in advance.

Are you referring to /oauth/token endpoint call?

Looks like somewhere the configuration specifies issuer as empty string. Is this error thrown during SpringBoot server start process?

@@securityinaction1018 i am getting this error when i try to hit the url in postman to getuser with token

It's difficult to debug without seeing the issue. I am not sure where the issue is happening. You can enable debug logs in SpringBoot app and see if you can find any details there

@@securityinaction1018 i tried debugging the application.. but that’s not possible… whenever i hit the localhost url in postman i m getting 401 error and in logs i can see jwtdecoderinitializationexpection: failed to lazily resolve the supplied jwtdecoder i stance

Ok. If it is ok with you, post the spring application.yaml file configuration here. I think something might be wrong in that config.

Can you point the exact time in the video where it is mentioned? I can check and let you know

@@securityinaction1018 9:01

Ok, I tried it again. If you select "Allow people to log in with their Facebook accounts" instead of "Other", it doesn't support OAuth2 login which is required for Cognito integration. I think "Allow people to log in with their Facebook accounts" is for apps which directly integrate with Facebook login without any middle layer like Cognito.

@@securityinaction1018 Ahh, that explains the issues I've been having. Thank you so much!

Glad it worked!! Please like, subscribe & share this video / channel !! Thanks in advance.

I have not tried it. But looks like it is possible as per this docs learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles Please like, subscribe & share this video / channel !! Thanks in advance.

Glad it was helpful! Please like, subscribe & share this video / channel !! Thanks in advance.

Welcome!! Please like, subscribe & share this video / channel !! Thanks in advance.

You're welcome! Please like, subscribe & share this video / channel !! Thanks in advance.

Sure. Please like, subscribe & share this video / channel !! Thanks in advance.

Can you elaborate the question? What is dynamic user ID?

You're most welcome!! Please like, subscribe & share this video / channel !! Thanks in advance.

This is for browser based flows i.e. authenticating a Auth0 user through Cognito using SAML federation. Can you elaborate what do you mean by using it for APIs?

@@securityinaction1018 I would like to authenticate and authorize api usage

This video might be useful. It is just for reference. If you are using API GW service, it will be a different setup. ua-cam.com/video/66rCfs-3egI/v-deo.html - How to secure SpringBoot REST APIs using Auth0 OAuth2 scopes? ua-cam.com/video/7zyhENQRb7c/v-deo.html - How to secure SpringBoot REST APIs using AWS Cognito OAuth2 scopes?

You cannot integrate AuzreAD with Cognito using OAuth client credentials flow. Since it is OIDC, it supports only authorization code grant flow. Please like, subscribe & share this video / channel !! Thanks in advance.

@@securityinaction1018 I thought so too.. thank you for the confirmation. Thanks to AWS marketing buzz where in devil lies underneath :-D

:) Welcome. If you can explain your use case, I can try my best to help.

@@securityinaction1018 we want to expose existing API and manage in a API management platform. Unfortunately AWS API GW is suggested 😅. So we want to protect the API endpoints ( expose them to internal application, so REST API is choice) & security compliance is to use Azure AD to maintain users, groups, app registrations for M2M use cases.. In this context I ended up in the hands of Cognito ..

Ok. If you want to use a AzureAD M2M client_credentials token for securing APIs hosted in AWS API GW, you can either use custom authorizer or JWT authorizer. JWT authorizer supports only HTTP APIs docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

Welcome aboard! Thank you :)

I have not tried with these specific versions. But, I guess it should work as long as Spring didn't change any of those OIDC related configurations

I have not worked on SecureAuth. I will try to post a video in future.

Thanks for the response. I will be waiting for the video

Domain cannot be configured without enabling Hosted UI.

Glad it helped!! Please like, subscribe & share this video / channel !! Thanks in advance.

I have not tried it myself. You can check this doc learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui I will try to post a video in future once I find the solution. Thanks for subscribing!!

Here are some links which will clear the confusion : learn.microsoft.com/en-us/answers/questions/1556632/confusion-around-azure-ad-b2c-vs-microsoft-entra-e learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#is-microsoft-entra-external-id-a-new-name-for-azure-ad-b2c Please like, subscribe & share this video / channel !! Thanks in advance.

This video uses client credentials grant which is not user specific. For user based authorization, you need to use authorization code grant, get access tokens and use those access tokens for accessing the APIs. Please like, subscribe & share this video / channel !! Thanks in advance.

@@securityinaction1018 Any tutorial is present regarding user specific scopes configuration? I wanted scopes at user level and not at app client level

This video uses client credentials grant which is not user specific. For user based authorization, you need to use authorization code grant, get access tokens and use those access tokens for accessing the APIs. Please like, subscribe & share this video / channel !! Thanks in advance.

Glad you liked it! Please like, subscribe & share this video / channel !! Thanks in advance.

You can check this blog aws.amazon.com/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/

I have not tried that. In case I get a chance to do a POC, will surely post a video.

Glad it worked! Please follow these instructions to assign the app to only certain users /groups learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment Please note that group assignment is available only for certain plans and not for free developer account. Please like, subscribe & share this video / channel !! Thanks in advance.

Sorry, I am not aware of that. If you can share any websites on how it needs to be done, I will surely take a look.

@@securityinaction1018 I'd recommend googling "how to add timestamps to youtube video" and it'll teach you how. Thanks for the video again! Helped a lot.

Glad it helped. Sure, will check it out. Please like, subscribe & share this video / channel !! Thanks in advance.

I am not sure what is really happening since it is difficult to find out without debugging. May be the user credentials that you are using is not assigned to that particular Okta application. But, I am not 100% sure.

Glad it helped! Please like, subscribe & share this video / channel !! Thanks in advance.

Glad it was helpful! Please like, share & subscribe to this channel!