I am currently learning about OAuth2, and I am slightly confused about one part of it. Does the OAuth2 server compare the domain in the JWT with the domain in the request header?
What prevents someone from ripping a bearer token out of a JS app and then using it to make fraudulent API requests? Even if HTTPS is used, the token sent back from OAuth2 still has to be stored before it can be used in subsequent requests, thus making it vulnerable. What am I missing?
Edit: what if I create an oauth2 token from a non-browser client and there is no domain name to match against?
Nothing prevents it from being used. That's why you store it safely or you don't store it at all.
Related
my app api is captured with http carnary app which the hacker could access the api.
Is http request authorization could prevent it?
Basic xxxxxxx
I dont know where to ask. Been strugling for days without result.
Disable HTTP without TLS on your server, use certificate pinning on the client. The attacker will only be able to see requests (by reverse engineering or modifying the application). There is no way to be 100% secure in this case. If the user has network access he will be able to see the data. HTTPS and certificate pinning will be reasonable big obstacle for most attackers.
I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
I have already created an api using php slim framework. But I have an issue with securing my api. I want to access only api for the authenticated users only.
I have already added user login to my front end angular project. That is fine. But when the someone directly calls the api endpoint its show the result related to that endpoint.
For example. I have the following endpoint.
slimapi/customers/view
This endpoint shows all the data in the customer's table.
When someone types this URL in the browser. it shows all data related to that api endpoint. but I want to show some customers message when someone tries to access my api endpoint without using front end application.
You can Manage JWT Token
when client sends you login request and if login request and credential matched then you give the client a token. Then After every request, you check the token is it valid then you give the access.
just see the documentation of JWT
https://github.com/tuupola/slim-jwt-auth
You could use the OpenID Connect protocol (based on OAuth 2 and JSON Web Tokens​).
But this would maybe an overkill for the most scenarios, because a JWT would only makes sense if you have to scale the "session" over multiple servers and/or load balancers in the back-end infrastructure. Also a simple logout is not possible with JWT based tokens. If you start to manage JWT blacklists on the server-side, the API will not be stateless anymore.
I think a very long API-Token within the HTTP header, e.g. a UUID, would be secure and good enough in the most cases.
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
Syntax:
Authorization: <type> <credentials>
Basic Auth
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
Token based
Authorization: Bearer eyJhbGciOiJIUzI1NiIXVCJ9...TJVA95OrM7E20RMHrHDcEfxjoYZgeFONFh7HgQ
UUID as Token
Authorization: Bearer bb79dfb5-17fd-4ebc-acd5-548e308e5f9a
Also make sure, that all API request are SSL (HTTPS) encrypted.
PS: If you just want secure your API for a web application, a classic Session with Cookies is also good enough and very secure.
I have a hybrid SPA php web application that makes calls to a remote REST API for all it's needs. I'm starting to implement token authentication between the web server and api and I'm not quite sure how to handle expiration of the token. There may be some flaws in my design as well.
User submits login credentials (username & password) to the web server.
Web server sends call to the API.
API looks up creds., if good, a JWT Auth token is generated and returned to the web server where the Token is stored in a php session variable. The token is never made public.
Each call the web server makes to the api sends a request with an authorization header that includes the token pulled from the session.
My problem is, what's the best way to issue a new token if one has expired during an incoming request. The api checks each request's token to determine if it's valid and if it's expired. If the request API was GET foo/bar for example, expecting a JSON string in return, but the token has expired, what would be the expected behavior?
Hope this makes sense. Please let me know if I'm not clear enough. Have not had much luck researching this particular scenario.
So I am trying to implement Google Login in my application. On the client side I have an android App and a web app which interact with the restful API server in PHP (Cartalyst Sentinel 2.0 for authentication).
I am facing multiple issues.
REDIRECT URI
//setting up google api client
$client = new Google_Client();
$client->setClientId($CLIENT_ID_WEB);
$client->setClientSecret($CLIENT_SECRET_WEB);
$client->setRedirectUri($redirectUri);
$client->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/plus.me'));
To instantiate the client I need to provide redirect Uri. Now in the case of the client being webApp there seems to be no issue as I am providing the same redirect URI at the client and server end. But when it comes to android there is no REDIRECT URI. I read somewhere that 'postmessage' as redirect uri works but didn't for me. Without the redirect URI the client throws error of "invalid json token"
Any help on this ?
cartalyst_sentinel cookie as null in the requests from web client.
There seemes to be no issue in case of normal login(api.domain.xyz/login) through credentials. But when at the server end I login the client from a different route(api.domain.xyz/blabla/google/login) the value for the cartalyst_sentinel cookie goes null even though the set cookie headers were sent as response headers.
Set-Cookie header being sent(There are two, which worries me but it works this way as well in case of native login)
The cookie is becoming null in the requests which follow after login
I have read a lot by now about these issues and have tried n number of methods but none seem to be working.
There were only two things that seemed a bit valid.
The case of redirect URI can be sorted out by instantiating the google api client with config file(google json or developer key maybe).
The case of missing cookie is due to cross domain cookies or maybe due to login being done through a nested route(sounds silly I know, but found somewhere in google).
Any help appreciated.