I'm planing to create a few simple REST web services to be used by some other applications (everything internal, not facing Internet). For certain reasons the applications should work with SSO (Windows, NTLM or other). The issue I have is how to do the authentication in the web service.
The application calling the web service has no knowledge of the users password so I'm kind of lost on how to authenticate against REST without having the user to login? eg. avoid Basic Authentication
I would like to avoid login due to simplicity for the user and not having to handle passwords in my applications. What are my options? Am I missing something obvious?
Would this be a solution:
create token, pass it to service and store it in database. web service checks if token exists in database. (expiration handling?)
The most common solution to this problem is, as you mentioned, a simple key or token based authentication. This is how a lot of google services (e.g maps) work. You simply generate a key on your service provider for each consumer, store it in your database, and validate that all calls pass a valid key.
More sophisticated options would be HMAC or OAuth authentication. Given your situation, i.e. providing services only within your intranet, I'd say keep it simple and go with a single key authentication.
In the above scenario I don't see the need for handling expiration. Nonetheless, if you'd like to implement it, then you could
on each client request, generate a timestamp based token on the server
in your reply to the request, also include this token
client should use both the static API key and the dynamic token in subsequent requests
server should check the token's lifetime and accept / refuse the request as necessary.
Related
I use firebase authentication in my laravel project and I am curious if there is such a way to give users roles/permissions.
Normally I use laravel authorization to get over it but now my user data are on the firebase.
Firebase Authentication (as its name implies) only handles authentication: verifying the user's identity. It intentionally does not provide any form of authorization: determining what the user's access permissions are.
Many of Firebase's other products have their own authorization mechanism that builds on top of Authentication, such as the server-side security rules of the Realtime Database, Cloud Firestore, and Cloud Storage.
You will need to do something similar in your own server-side code to implement authorization for your app. You'll typically follow this recipe:
Pass the ID token of the user from the client to your server-side code.
Decode and verify the ID token to securely determine who the user is.
Look up the authorization of the user, either in a data store of your own, and/or from the custom claims from their token.
Enforce that the user only accesses the data they're authorized for.
This is pretty much the same process that Firebase's own services also follow.
If an app is interacting with server api over https using post method ( JSON objects ), then there is a danger of api endpoint getting exposed and anyone accessing the api.
Is there a way to make sure that api is called only from the designated app.
I did some research on the web and came to know of:
a. manual credential checking using POST method
b. using json web tokens ( jwt)
However my question is: both of these methods a) & b) would require some kind of username/passwd passing from client app to server ( everytime in a. and only once in b.). Now this username/passwd would need to be hardcoded in apk and it can be easily obtained by anyone by decompiling it. So then how are these methods secure?
I think you're misunderstanding how json web tokens or bearer tokens work. Why would a username and password ever need to be hardcoded? You'd supply the user with an interface that accepts a username and password.
In option a, you'd store these locally after the user supplied their credentials and clear it when they exit the application or log out. This would not be recommended as that's what tokens can be used for. Many frameworks already offer support for JWT out of the box.
If using a token, the user still supplies their username and password to authenticate, the server will return a valid authorization token. From that point forward the auth token is passed with each request.
I would somehow use TLS security ... with digital certificates ... to cryptographically secure the network access to the portal. The app would contain the necessary public certificate, possibly obfuscated, which the server could check to make sure that the access is legitimate. Now, no one can intercept the communications, and they can't spoof it without somehow first extracting the certificate information from the app, which is probably unlikely. Knowing that the supplicant does possess a copy of the necessary public key should be sufficient authentication.
Although we don't usually employ it when we use TLS to get to your friendly neighborhood https web-site, modules like mod_ssl do provide a complete TLS implementation including the ability to require and to verify a client-side security certificate, without possession of which the connection attempt will be refused. This might be an ideal situation for that.
I'm working on a user authentication library in PHP. Right now I have both stateful and stateless CSRF protection, everything's secure. My problem is that the API is for remote applications (mobile app, game, etc) and has a public facing script to let a client app perform requests to authorize/log in a user. I would like to include the functionality for creating and removing a user in this API so that the client can do everything itself, but can't figure out a way to make it so that the creation script couldn't just be hit by anybody to flood the database with fake users. When creating a user with the API, I don't require any credentials other than username or password in the request, which means that anyone could hit that script. Does anyone know of a secure solution to this to prevent an attacker from using the API to create/remove users themself?
you could increase obscurity by requiring a secret key. Distribute the key in the client code. However, anyone accessing the client code can see the key and use it. But random people scanning your service wouldn't have the client code, nor the key.
i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?
I need a way of recognizing that an incoming request to the api is a legitimate request from our api.
What other security concerns should i keep in mind and calculate for?
any design suggestions?
i am currently looking into what oauth can do for me here!
I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).
I would make sure you use this:
HTTPS (never send password or sensitive data over plain HTTP)
A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
Make sure your access_token expires after certain time or conditions you might impose.
Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.
Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<
I'm developing a social networking website. This service will be available across various mediums, for example: the web, iPhone, Facebook application etc.
My idea for this application was to have all of these properties interact with one central point for fetching and saving data: an API. My various applications would then interact with this API, sending a GET request to fetch some data; a POST request to submit some data; DELETE requests and so on.
This API will be web-accessible, so I need a way to authenticate only white-listed applications. This API will never be available for third parties to interact with or build third-party applications with; it's to facilitate my applications only so I can cut out re-coding solutions across various platforms and focus only on the logic (controllers, essentially).
Therefore, would OAuth be suitable to be used as the authentication method for the above scenario?
My knowledge of OAuth isn't great, but if it is deemed a viable solution then I'll obviously read up on it before implementing. But as far as I know it works on tokens. A consumer (for example, my website) would request a token from the application (the API in this instance) and then the application would return a token to use in subsequent requests. Or something.
When a request comes in to my application, am I then able to accept/deny requests based on the requesting application? I.e. can I deny access to applications that aren't my own? How do I differentiate between applications? Do I retain a whitelist of IP address or URLs, and compare upon incoming requests?
Any help on the above would be most appreciated.
OAuth is not designed to authenticate some applications the way you want to.
Juste create your own private way to authenticate, because you're the only one to know about your API. Dont forget to pipe the authentication in SSL and everything will be ok !
I don't think OAuth is the best solution for your problem. OAuth is great when you plan to give your API to the 3rd parties as it allows to authenticate user without giving users's credentials to the 3rd party. If you have all control over the API there is no need for this.
It's still a good idea to read about it thou. :)