I followed this article on API key authentication with Symfony:
http://symfony.com/doc/current/cookbook/security/api_key_authentication.html
It explains the authentication part well, but it doesn't seem to explain how state between requests works outside of a normal session.
But in some situations (like an OAuth flow), the token may be sent on
only one request. In this case, you will want to authenticate the user
and store that authentication in the session so that the user is
automatically logged in for every subsequent request.
That makes sense but how is the user linked back to the session on subsequent requests, if a token is only provided on the first? I can't use a session cookie because CORS restrictions won't allow me to.
What I'm basically trying to achieve is an API that I can POST login credentials to, in return for an access token that allows me to link requests back to a session.
Can anybody help fill in some of the blanks, or suggest a better way of doing it?
That makes sense but how is the user linked back to the session on subsequent requests, if a token is only provided on the first?
If you use the native session handler, your session and session id as well as a session cookie is sent to the client automatically by PHP's session handler, as soon as you request the session in Symfony.
I can't use a session cookie because CORS restrictions won't allow me to.
Then you can't use a authentication mechanism that provides only at the very beginning (first request) a security key, without sending any other api key in subsequent requests.
What I'm basically trying to achieve is an API that I can POST login credentials to, in return for an access token that allows me to link requests back to a session.
Then do exactly what the linked documentation is doing. Provide additionally a route (not protected) for everyone that accepts credentials and returns a api key. That api key is then used in all subsequent requests, as described in the linked documentation.
Related
I use Socialite library in Laravel. In documentation tells one paragraph:
The stateless method may be used to disable session state verification. This is useful when adding social authentication to an API:
what really does it mean? When I should use that?
Actually, the basic authentication mechanism uses session to store the visitors identity so when you once get authenticated (providing credentials in a login form) the application doesn't ask for the password again when you visit another page after login. So, the session is used to keep the user's current state in the application. This is what happens in most of the cases.
On the other hand, the stateless authentication is used without using the session. In this case, the application doesn't keep any data into the session to identify the user on subsequent requests. Instead, it verifies every request independently.
When you gonna need this?
Basically, it's needed when you are going to build some kind of API which may serve resources as service to users where a user may send a request to your API to get data from anywhere, I mean the user may not be a registered user of your system but you may allow a user to consume data from your server depending on some sort of token based authentication.
This is not enough to describe the stateless auth but this may give you some idea. Further, you may check How to do stateless (session-less) & cookie-less authentication and this and also you'll find useful links if you search on Google using the term Stateless Authentication.
I am using JWT token based authentication for the authenticating my REST APIs exposed to mobile apps. I have a login API where the user will be hitting to and get a JWT back as a response. App has to use the JWT token for the rest of the requests. One question that struck during the development is.
Once I give an authentication token to the user, he has access to rest of the set of APIs.
User 1 with JWT token T1 trying to access resources of user 2 is possible in my current design which is a flaw in my system. On each request do I have to check whether the user id in the token and the user id for which the process is requested matches and then proceed? or is there any better way this is been handled some other way?
I am using laravel framework with dingo rest and JWT lib.
Update
Eg :
I as an individual got the endpoints from the app. I logged in and received my jwt token which will be valid across rest of my resources. Now to get a list of products I have added using a different user id.I can do it this way
My JWT token in the header
GET /products/3 and 3 is not my user id!
In this case, Im just validating a jwt token, which will validate it and respond with the resource which is not MINE!
TL;DR: It is imho quite common to use it this way, you should be good the way it is!
More detail:
The point here is that the token is "obscure enough" so that there is an negligable chance a non-authorized user is obtaining the token from an authorized user. In your example this means, that user 2 can with a very high probabilty not guess the token that user 1 is using.
Of course this way may be prune to man-in-the-middle-attacks, so you should be sure to only transfer the tokens over a secure connection. I suggest "HTTPS only". Also, you may think about only sending and receiving the tokens in the header, so they are not exposed in any content views.
As a bit more background: Think about how PHP "standard" session cookies are working: The user (client) gets a session ID in a cookie and sends it back. This is basically the same as you are doing here with the JWT, as user 2 could also somehow steal the cookie from user 1 here, and act on his behalf. JWT even adds you a level with which you can easily confirm that you actually issued the token (provided you are using the RSA-keypair-style approach), which i think is an advantage over the PHP session ID cookie approach.
I want to register users to my webinars after they submit a form in my site, this is common practice but I'm having problems authenticating my application.
The problem is that according to the documentation Citrix doesn't support username-password authentication flow (where you put your user and pass in a request and you get a token):
https://developer.citrixonline.com/content/username-password-flow
Instead users need to be directed to a login page to complete their Citrix account credentials, supposedly this can be done by me just once and then save the token, however I couldn't find a method to do it safely, I tried once to save the token and just the next day it was expired. So how can I make sure I get a fresh access token without
I'm using this PHP library which is supposed to simplify the login process (maybe there is some clue in it):
https://github.com/jakir-hayder/Citrix-GoToWebinar-PHP-Library
First, read this primer on OAuth workflow to ensure you have the terms and concepts down pat. (You can ignore the fact that the example is for SalesForce -- OAuth is all the same.)
Then, you should understand that you're looking for the Citrix Token Request Endpoint, which they happen to call "Direct Login".
That should let you pass the username/password to get the token to use in subsequent requests. That what you need?
I would use Fiddler or Wireshark to collect the API calls that are made to the Citrix API when you log in. Then add some code in your applicaiton to send the same requests, parse the response that has the access token, and dynamically use that token however you've already got it set up in your application.
I am currently implementing an OAuth authentication 3 legged strategy using 2.0. I have come across a problem:
What's the best way to remember the client's session when logging in using Oauth.
Currently what I'm doing is setting a cookie on the client that matches my session ID on the server. This is of course equivalent to a normal cookie session based login. Then in the session, I keep track of the access token that I got when I used the Auth Code and exchanged it for the access token.
As you can see, state is kept in sync between the client and the server via the cookie/session id, and the access token is kept only in the server and in relationship to the session id.
However I've read that this is insecure, and that OAuth should be stateless (restful) style, so cookies should not be required, especially if the client is a machine client and not a browser client. Some resources have mentioned that the client should store all the necessary credentials in order to authenticate any request to the app. Does this mean I should store the access token in the browser's header? What about the auth code from the redirect, should this be stored on the browser's header as well? (And should these codes/tokens be encrypted/signed on the browser's headers) (and how would you do this using PHP?)
Resources like this: http://sitr.us/2011/08/26/cookies-are-bad-for-you.html says a client side rich javascript app could keep track of the access token and pass it in on every XHR request? But of course not every client is a javascript app such as machine clients.
You should not store the token in a regular session.
The idea of it being stateless is that each request carries all the required validation information.
Of course this may require more work on the client side in order to ensure all requests carry all the required data.
One of the benefits of REST's statelessness is that it is simpler to have a distributed implementation. Every request has all the necessary data so you don't even need to hit the same server twice, each server can validate on its own.
I'm writing a RESTful Webservice with the Slim Microframework and use GET for reading data from a mysql database (select query) and also POST/PUT/DELETE for insert/update/delete rows in the database.
My question is now, is this not a big security issue if everybody is able to write or delete data in the database? But how could I prevent this, I thought the ST in REST stands for state transfer (so the webservice is stateless), which is a contradiction to a state like being logged in or not. And if I would pass some login data with the client which is allowed to write in the database, couldn't a bad guy catch the logindata and fake requests with it and for example delete all entries?
So, whats the normal way to go with this, the only Slim Framework examples I had found always show the route examples, but not how to secure it.
Are there also some opportunities in the Slim Framework to implement this what I need? It should be as easy as possible and the request should be responded nearly as quick as without an authentification or similar. There are no sensitive data like passwords, for me it would be enough that not everybody with a cURL commandline tool can delete all rows or things like that.
Would be great if anybody could explain me what to do and/or give some examples. I also need to know, what I maybe will need to change at the clients which are allowed to send the requests.
Lots of thanks.
Each request has to be authenticated and authorised.
People often get tied up with the word 'stateless'. This really just means that from one request to the next, the RESTful service has no prior knowledge of the users state.
BUT, the service is obviously allowed to be aware of the authenticated user that has just made a request, else how would it decide if it should allow access?
Therefore, you can 'store' the authenticated user in some variable during each request. Then it's up to you how you use this information to authorize the request.
I like to keep it simple and have all my users as a resource in my URI chain. They make requests like users/{username}/someresource.
I authenticate using http basic authentication (over SSL) and authorise based on the URI. If the request failed authentication, its a 401 Unauthorized Request. If the URI {username} and authenticated {username} do not match, the request is a 403 forbidden. If it is authenticated and authorized, the request is allowed (http code dependant on http verb)
Now that's the web service covered, now on to the web service client. This of course HAS to store state, otherwise your user would have to log in every time they make a request.
You simply store the users session in the application (as per normal session management) with the addition that you store the username and password (encrypted of course) in the session. Now every time a request is made, your web service client needs to retrieve the username and password, and send it with the request to your web service.
It will be stateless, in the sense that there won't be a session or a cookie, really. You'd normally issue out a key that would be required for INSERT/UPDATE/DELETE.
It is then up to you to pass the key with each request and to determine when a key should expire.
It would be as safe as normal http authenticated sessions. These use a cookie etc to authenticate the connected user to the stored session state.
A stateless service would be no different - the token is passed to the service just as a token is stored in a cookie for normal http. If you are worried about sniffing (IE man in the middle attacks) you would secure the link via SSL.
The authentication token generated by the service would be encrypted and would include a salt which is also verified on the server for each request. You could also limit the session time to suit your paranoia, and also check changes in source IP, user agent etc and expire the user's token if these change.
I recently ran into similar problem. As recommended by people here, I have decided to go with OAuth Authentication.
I am using HybridAuth A php wrapper for OAuth and out of the box sign in solution for Facebook, Twitter, Google, LinkedIn, etc.