I'm integrating FOSOAuthServerBundle to handle login from an angular front-end.
I have made a client with grant-type password. So my request looks like:
/oauth/v2/token?client_id=[CLIENTID]&client_secret=[CLIENTSECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
I think it's pretty safe because the client only has grant-type password. The only part that isn't safe, are the user credentials (username and password). They are sent plain to the backend and I want them encrypted.
How can i handle the hashed credentials in the FOSOAuthServerBundle?
Related
I want to create Gmail email client in PHP similar to android/ios application where user fill username and password and perform operations like send/retrieve emails. I am already done with the Oauth - Web server applications where google provide access and refresh token to authenticate the user account. But I don't want user to be prompted for giving prevision to my application.
I checked something known as 2-factor authentication.Please let me know how is this possible ?
This is not possible with new Google authentication APIs as user's giving out their Google password to random developers/applications is considered a security risk http://googledevelopers.blogspot.com/2012/04/changes-to-deprecation-policies-and-api.html. Use oauth2 with a web flow and have the user authorize it. Then they don't have to expose their password and can always go and revoke the oauth2 grant if they want.
You can try creating a service account. It doesnt require that the user enter his/hers password.
I'm building a REST API for part of a folder/file browser application.
One of the aspects of the design is the ability to password protect a folder and I'm just wondering what the best practise would be for this.
My folders table has an is_protected boolean and a password field which will be stored encrypted. This is optional protection.
The developer would send a GET request to http://my-website/api/v1/folders/1 and the backend returns the resource as JSON.
However, if the folder is password protected, I need to check if the password matches. Is it best to maybe send this in the HTTP Header? Or a session using the unique folder slug as the key or something?
All suggestions welcome, cheers!
Your REST API should create a login service, which will take a username / password, and respond with an Authorization token to be used on subsequent requests.. Authorization: token 98wuun8EIU23H8D3D87dow7dh this token should also have an expiry date at which point will need to be refreshed, your app should not pass Username / password on the resource request itself.
The auth token itself should be unique to every user, and on refresh should generate a completely new unique token. Then your token can be used to identify the user on the backend.
refreshing can be done by a refresh token, or by asking the user to enter their username / password again and requesting a new Auth token..
Also ensure your production environment uses SSL to reduce man-in-the-middle type of attacks.
I have a backboneJS application that communicate with a Restfull API write with Symfony2.
To authenticate the user, an HTTP header (WSSE) is sent to all queries.
The header looks like this:
X-WSSE:UsernameToken Username="foo#goo.com", PasswordDigest="clrGx4hSEyC3zdndd04/51yuee7Q=", Nonce="VURQQWQ0RTBMSGo4enBCN05GSjNuTGhsSjF3PQ==", Created="2014-05-09T15:11:06+02:00"
For generate the passwordDigest, I need to have the user password encrypted. For testing, I have put this password encrypted directly in my frontEnd.
So, for create a générique method and not sent the password encrypted on the network, I need to generate the same password encrypted in my front End.
The User try to connect:
User write is email
Application try to get the salt for this email
User write is password
Application created the same encrypted password that this base
Anyone know how to encrypt the password on the client side (in javascript), with the password (enter by the user) and the salt?
Thank's !
There are various libraries available for encryption on the client side. Forge is a library which implements a few message digest functions in JS, including SHA-1 which is what you seem to be using currently.
I'm developing an iphone app and I need to implement a 'safe' login system.
When the users writes his credentials, using a httprequest, phpmysql responds if authentification is correct or not.
But.. Do I have to send the credentials for every request after the login? For example: When I'm logged in, if I wanna get my profile info, should I send my credentials again?
I thought to implement a 'token' system, when an user logs in the server responds with a 'token' wich could be used for every request but... What if someone 'intercepts' this token? He could make petitions using this token like if he was the other user..
Hope I could explain what I'm trying to do (not using ssl)
Thanks!
You should encrypt the credentials before you transmit them using AES or a SHA512 hash. This goes for using the token as well if you go that route. Definitely use SSL.
You must use SSL/TLS (read: https) if you don't want someone to sniff your clear text credentials, whether it be token or any other credentials.
I'm including Google and Facebook OAuth2.0 to my site. I got it working so it pre-populates my registration form with first name, last name and email (password must be entered manualy). Now i want to enable that users can login/register without entering password. As i mentioned i can get email address with no problems from OAuth but i dont know what to use as password because i cannot have an empty password field in my database (then you could enter users email with no password and you could login).
In my database i'm checking for email and password fields (simple login).
So how do i register my users with OAuth (what to enter into password field), so that i can login them later just by clicking on OAuth icon?
Is there any key that is user specific and is not public?
I think you have not understood the true meaning of the OAuth.
OAuth creates and authorisation layer and separating the role of the client from that of the resource owner. The client Application access only those resources that are controlled by the resource owner after the Authorsation provided by the User.
For security purposes the resource owner's credentials to access protected resources, the client obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes.
Access tokens are issued to third-party clients by an authorization server with the approval of the User. The client uses the access token to access the protected resources hosted by the resource owner server.
According to the RFC 6749:
The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication. The
authorization server MAY issue a client password or other credentials
for a specific installation of a native application client on a
specific device.
Thus there is no need of the password