9 Replies Latest reply on Jul 16, 2018 3:11 PM by GuillaumeFaure

    Bearer Authentication on Google Domain

    GuillaumeFaure

      Dear PI Square,

       

      In our company, we would like to implement a securized WEB API with Bearer authentication. We use google as our company mailing system, which means our adress name@company.com are on Google.

       

      Ray wrote this some month ago:()Claims-based authentication in PI Web API 2017

       

      A Caveat: At the moment, a user claim obtained from the identity provider must match the User Principal Name (UPN) in the PI Web API Server's Windows domain. In my case, OSIsoft's Active Directory knows me as ray@osisoft.com. To use claims-based authentication, ray@osisoft is what must be returned by an identity provider. This means we can't currently support other OpenId Connect providers such as Google because is there is no way to configure ray@osisoft.com to be my identity claim in Google.

       

      I wonder if in my company, I could use my adress to be claimed by Google.

       

      How could I try this ?

       

      I'm trying to connect to API by G app Script, but I would like to know if I should dig this method or quit it because PI WEB API could not support it.

       

      Thanks,  experts,

       

      Best regards,

        • Re: Bearer Authentication on Google Domain
          gregor

          Hello Guillaume,

           

          To my understanding Ray answers your question in his related post which you quoted: Google OpenId Connect provider is currently not supported.

           

          This is also confirmed in the case you raised with Technical Support.

           

          I do not know if what you are asking is possible and what the implementation efforts would be but your ask itself appears reasonable. Among other resources, I have checked the existing enhancement requests for PI Web API at uservoice, did not find something related to your ask and hence suggest you to post an enhancement request.

           

          I don't expect any positive outcome but because you've asked how you can test, please allow me to refer you to the PI Web API 2017 R2 User Guide.

          • Re: Bearer Authentication on Google Domain
            vkaufmann

            Hi Guillaume,

             

            It appears as though Ray’s post on this matter has caused a few misconceptions about what the Web API supports regarding claims authentication. To put simply, the PI Web API can theoretically support any identity provider which implements the OpenID Connect specification and OAuth 2.0. Some examples of identity providers that implement OpenID Connect are some of the ones that Ray listed in his post (Azure AD, ADFS, and Ping Federate) but we are not actually limited to those identity providers at all. In Philadelphia, we currently have a claims lab setup that implements Bearer authentication with the Web API using an open-source identity provider known as Gluu. We’ve also had cases with customers in which they are using their entirely home-grown identity provider as well. In fact, the terminology itself can be a bit misleading; The way we perform authentication in this way would be better described as OAuth authentication, but industry has adopted terms like “claims” and “bearer” to be more generic. In reality, it appears that Google is very compliant with the necessary specifications needed to use bearer authentication with the Web API. The trick here is to understand which claim-type provided by the Google IdP can be mapped to the UPN claim-type that the Web API is expecting.  This is not always trivial but can usually be resolved with enough tinkering. If the assertion is correct in that the Google IdP is storing something that looks like name@company.com which can map to something in Active Directory, we might have a shot at supporting this customer in his claims configuration. Now a caveat about our current claims implementation is that its really Kerberos wearing a fancy hat. Once the Web API receives the claim type that maps to UPN, it takes that claim and requests a Kerberos ticket on behalf of that user using the Claims To Windows Token Service. We can’t support a full claims solution until our backend servers can authenticate users with a claim as well.

             

            --Vince

            4 of 4 people found this helpful
            • Re: Bearer Authentication on Google Domain
              GuillaumeFaure

              Thanks Vince, Gregor for your answer and advice,

              I'm now confident and ready to set up the Bearer auth', nevertheless I face some issues and questions.

               

              In G app script, I have two options:

                 a- I do the full process to get the JWT (Flow described by Google Id Platform)

                 b- I use the function ScriptApp.GetOAuthToken() to get directly an acces_token.

               

              For the moment, I can test only with option (b). Indeed, I'm not administrator of the domain and I can't access G API Credentials to request a client_id/client_secret parameters.

               

              So, basically I'm requesting a OAuth Token and I decoded this token (I'm curious ). This is what I get : a jti (its supposed to be a pre-token, a JWT ID)

               

               

              I concluded that the return of function ScriptApp.GetOAuthToken() is the access_token.

               

              In PI WEB API 2017 R2 User Guide I read, regarding Bearer auth, that :

              OpenID Connect can be used with claims embedded in the access token as a JWT, or from claims obtained from the identity provider's UserInfo endpoint as configured by an administrator. When configured for bearer authentication, PI Web API supports access tokens in the Authorization header for requests.

               

              When using an identity provider that cannot be configured with CORS to return metadata for browser based calls, the PI Web API can act as a relay to get the configuration and JSON Web Key Set (jwks) information from the identity provider. The browser can obtain these by configuring the BearerIssuer setting

              So I understood (I think I'm wrong now) that I have to give PI WEB API the Acess_token and I let him request the needed info to Google. The only thing I need is to configure properly the AF configuration of the API.

               

              So I coded this in G app script:

               

              var token = ScriptApp.getOAuthToken()

              function Call(url) {

                var headers = {

                 "Authorization" : "Bearer " + token

                };

               

              and this is  my AF settings:

               

               

              Unfortunately, When I try a call the event viewer give me this Error

               

               

              I understand the error code but not its context.Is it Request_URI linked to  BearerIssuer ?

               

              I currently have only TCP443 opened on the internet on my test VM, shall I open TCP80 ?

               

              Once again, thanks for your support and experience,

               

              Best regards,

                • Re: Bearer Authentication on Google Domain
                  gregor

                  Hi Guillaume,

                   

                  Before going more into details, can you please make sure that all of the Configuration Attributes are configured as Configuration items which is than indicated by the little pencil icon. We have seen more than one case recently where Attributes not configured as Configuration items where causing issues.

                  1 of 1 people found this helpful
                    • Re: Bearer Authentication on Google Domain
                      GuillaumeFaure

                      Thanks Gregor, You are right, I modified this and this is the new Error code :

                       

                      Nervetheless, I always as this Error :

                      What is the AF attribute type for BearerValidAudience ?

                      In Debug log, I get this messages:

                      In Wiresharck I see that PI Web API contact accounts.google.com

                      Unfortunately, it sounds like Google never replied.

                       

                       

                      I think It's a network issue, I asked my Network expert to check if there is an issue.

                      Indeed, I dont receive any answer from google Oauth server.

                       

                      I keep you updated,

                       

                      Best regards,

                    • Re: Bearer Authentication on Google Domain
                      awoodall

                      I was able to set up Google OpenID to work with a PI Web API instance in Bearer authentication configuration using access token using the open source oidc-js-client on GitHub here: GitHub - IdentityModel/oidc-client-js: OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript ap… . I will try to outline the steps I took to get it to work in this configuration which you can try setting up as a test if needed.

                       

                      First I used a Google account with an email in the domain of my PI Web API system. This part I did a while ago and I can't recall if Google did some email verification checks before creating the account but I'm pretty sure they will. If for some reason they did not I would be hesitant about trusting Google as an IdP. So anyway I reused my existing Google account mapped to my email for this test.

                       

                      On the Google side I had to create a project in the Google Developer Console, and for this project add an OAuth2 client ID credential. Here is how to get to the credential area to create the credential:

                       

                       

                       

                      When creating the credential you specify the origin URI of the application and the redirect URI for where Google should send the browser to with the access token after logging in. Once created it will generate a Client ID that is used to identify the application.

                      The oidc-client-js library has a NodeJS test application with a webpage called user-manager-sample.html that has an associated user-manager-sample.js file. It looks like this with some PI Web API buttons added:

                       

                      The steps here represent the sequence of actions you would take after configuration is complete.

                      Step 1: Redirect to Google to Login

                      Step 2 (after Google redirects back with access token): Load the access token info. It returns some error when clicking this but still works, likely because the test program is expecting the JWT id_token to be passed back.

                      Step 3: Make the PI Web API request with the access token.

                       

                      In this user-manager-sample.js file there is a settings variable where I had to use configuration like the following to indicate the PI Web API location, the Google client ID, and asking for an access token in the response type:

                       

                      Then my PI Web API button action is set as follows passing the received access token to PI Web API

                       

                      On the PI Web API side, I used these configurations for Bearer Auth

                      AuthenticationMethods=[Bearer]

                      BearerEnableJwt=False

                      BearerIssuer=https://accounts.google.com/

                      BearerUpnClaimType=email

                       

                      Also had to configure CorsOrigins for the application location.

                       

                      For troubleshooting this I found Fiddler to be a useful tool on the PI Web API server. If the PI Web API received a good access token, with this tool I could see a request from PI Web API to Google's OAuth2 userinfo endpoint like this where the email claim is returned.

                      From this info the C2WTS service should be able to convert this to a Windows token for PI Web API.

                       

                      HTH,

                      Arnold

                      3 of 3 people found this helpful