I am running into a situation where I am creating an application in symfony 6.2 to replace a legacy application. We are keeping all the users and I have a migration command that is moving the users from the legacy application to the new one. The problem I am running into has to do with the users’ passwords.
My preferred workflow would be:
User logs into new application
Form based authentication tests the credentials
Attempt to login to the legacy application API on credential test failure
Encode and store password in new application when the API login to the legacy application succeeds
I am stuck at the point of determining that the current user's credentials do not work on the new application and performing the API call to encode the password and store it.
Preferably I would like to be able to chain authenticators though I do not see that as an option.
I have created a custom authenticator that would perform the actions needed against the legacy API and on success encode and store the provided password to the user object.
I am wondering whether my custom authenticator has to handle the new application login form and security tasks?
Thanks in advance :)
Related
I have a web application which uses the UserInterface of Symfony for login and registering users.
And I have developed another application in Java which will have to communicate with my web application only if the user of the Java app is registered with the web application.
So in my Java application I'll ask a login and a password and I will send that to the web application.
But how can I check if it's the good user because I can't see the clear password of an user with UserInterface of Symfony?
I know it's for security reason, however in my special case I think that I have to decrypt my password user.
You can't.
First and foremost, because passwords and not encrypted. They go through a one-way cryptographic hashing function.
You can either verify the password against the hash in Symfony's side (by calling an endpoint and providing the credentials, and letting Symfony tell if they are OK or not)
Or, if your Java application has access to the same DB, replicate the verification on this side. (Something like this if you are using Bcrypt on Symfony; or something like this if you are using Argon2i).
I'm quiet new to slim, but I want to give it a try. I have created an application, which uses twig as view rendering.
A user should authenticate against a database (via a login form), before access administration. I created a login form, but now I'm stuck.
I found some libraries and middleware, helping with basic HTTP Authentification, but that is not quiet what I want.
I simply could store a session var, after checking the users information with my database, but is this actually secure?
Some people using authentication libraries, like Zend/Authentification oder Session.
Also, there is the whole token based authentification, but I don't know, if I should use this, when not creating an REST application.
I just want to understand, what does mean "secure" in a slim3 application and how to handle a user login with all it's aspects, to create a secure backend experience. Are there any libraries I should use, to build a middleware around?
Thanks for clarification/help.
I've been building applications in Slim for a little over 1 years, and I went through the same problem at the beginning, my tip for you is, as slim is meant to be a simple framework, it has nothing as default, so you you need to build the security of your application;
I started by trying some authentication libs, but starting to build mine.
Basically what i used
First I used Basiauth, with CSRF
Then I set out to build OAuth 2 authentication, ensuring token access to resources, and access rules.
For this I used a very powerful library https://oauth2.thephpleague.com/
Moodle version 3.2
I have a desktop based application which is integrated with Moodle i.e. it uses users and their credentials created in Moodle.
Correct me if I m wrong. Password in Moodle is salted and then stored in database. And, this encryption is irreversible. So, how do I authenticate the users on my external application?
I assume, I'll have to redirect users to moodle's authentication API and then redirect them back to my application after successful or unsuccessful attempt.
Please help on how to go about it.
Thank you.
Moodle has an entire Authentication API for this purpose. Check this out https://docs.moodle.org/dev/Authentication_API
I'm currently developing an app using Laravel. What I want to do, is to link this app to a SugarCRM app.
A simple workflow could be this:
User arrives to the app (Laravel app), enters its credentials
-> Credentials are sent to SugarCRM
-> if credentials are ok, the user is logged into the Laravel app.
Long story short, SugarCRM is used for the authentication to my Laravel App.
To do this, I developed a custom driver to my Laravel app.
The problem is:
If I quote the Laravel doc about custom Auth driver:
retrieveByCredentials: This method should not attempt to do any password validation or authentication.
Laravel Auth system requires to check first if the user exists in the base, with "no attempt to do any password validation or authentication".
But to do any kind of request to SugarCRM, I must authenticate first.
How should I deal with this without writing too dirty code?
What the docs mean there is that function shouldn't validate or authenticate credentials for your application. So if that function is called it shouldn't log that user in, but just return their credentials.
Its fine to authenticate to your external service so you can interact with their API.
I am developing rest apis in symfony application.
Right now my apis are used by my application only on frontend (ajax requests by Angularjs). In future I would like to expose same APIs to third party applications as well.
Also I will be having have Android, IPhone apps etc in future.
I have integrated FOSOAuthServerBundle, and have tried all grant type workflows. Its all working. But I am confused about can these be used by my application or are they for only 3rd party applications who like to integrate with my application ?
I understand how these workflow can be used by 3rd party apps. But really can't understand how can I authenticate my native application users ?
I want to know how to use this bundle to authenticate users on my website through rest apis from my frontend app ?
Currently I am usnig FOSUserBundle and form_long to authenticate user but I am changing frontend to use Angularjs and rest based. So ideally authentication should just work like form_login authentication but it should be rest based.
I did research on it and people suggest to use "Resource Owner Password Credentials" But it needs client secret to be exposed in javascript which may not be secure
It should work e.g. user submits username/password credentials like it works in case of form_login but instead of redirecting it should just return access_token.
Do I need to write my custome authentication provider which uses UsernamePasswordToken and firewall listener like OAuthListener which returns access_token ? Would that be secure to use?
The similiar question with some discussion here:
Symfony2 FOSOAuthServerBundle grant type password requires client secret
If you don't want to expose secret, use a proxy beetween your front-end angular code and actual OAuth server. Anyway, if you expose secret it still needs user credentials.
You can set allowed grant types to each OAuth client, so in case you create mobile apps, you'll want to generate a separate pair of client_id & client_secret for the app and for the front-end, with the only allowed grant type of "password" for the front-end app.