I'm using Oracle Rest Data Services (ORDS) to build APIs.
The client requires basic authentication (username and password). This does not seem to be supported by OAUTH2.
Is there another way I can protect the APIs by means of just a username and password?
EDIT:
We are using IIS10 - is it possible to setup basic authentication from an IIS perspective?
Yes you can, but we don't recommend it.
You can create an ORDS user (use the user command), and assign a password and one or more roles.
You can fall back to database user/password auth. That authenticated user session is given a role called 'SQL Developer,' so if your REST API was protected via privilege that was also put into the 'SQL Developer' role, it would get authorized.
We don't recommend this for a few reasons.
One of the biggest is how much slower it is. We have to make an actual database connection to ensure your user/password combo are correct. That takes TIME.
Hence, we point folks to OAuth2, or something higher up the stack like an API Gateway.
Coming later this year, we'll have out-of-the-box support for OpenID. This will add tremendous amounts of flexibility without sacrificing security or performance.
Disclaimer: I work for Oracle and am a product manager for ORDS.
Related
I've done a fair amount of research on the many different ways to authenticate and authorize users who use my frontend application to access my REST API. I've built a system that uses OAuth2 and JWT and need a sanity check since I'm working on this alone.
For a bit of background, my frontend is built using Vue.js and my API is built using Django with Django Rest Framework. My team is already planning on concurrently developing the mobile and desktop versions of this app which both would require authentication and authorization as well.
To keep things brief, I'll omit the alternative solutions I have and just talk about the most controversial one.
Right now, OAuth2 (my authorization server) grants users a JWT token using ROPC when they provide their email and password to my frontend client. I should note that my API (my resource server) and authorization server live on the same machine.
My application allows users to essentially signup using different plans (for example a free plan and a paid plan). When a user signs up for a free plan, I need the frontend application to not only disable certain features and elements in the UI, but also I need the authorization server and or resource server to limit what that user is allowed to query based on their plan.
The idea is when a user signs up or logs in, my authorization server will get the associated user record from the database and create a valid JWT with a claim attached that states the user's plan and maybe some other non-personal information. Then once signed it sends it off to the user where the frontend can enable/disable parts of the UI... etc. Hence, if a user logs in on mobile, we can customize the UI based on the same claim sent by the JWT.
My issue is that I don't know if this is a good way to go about it. It seems that everyone I've asked in my circle is split on using JWT or not. Those apposed mostly raise security issues, but, when from what I understand, many of the JWT security pitfalls are well documented and can be avoided just using some commonsense as with any other session/token-based authentication. I'm starting to get analysis paralysis. Please help.
CLASSIFICATION
I would say this is really an API Authorization question, as opposed to an OAuth question:
The role of the Authorization Server and tokens is really just to prove the user's identity
Product specific logic comes after the user logs in and is generally best handled in your app
MY PREFERENCES
Here is how I would handle it:
Save the plan type to your product data when the user signs up
After login, look up the user from the access token
Then look up the user's plan type from your product data
Produce a Claims / Principal object in your API containing both
Enforce business rules based on the plan type claim
I would aim for a Claims object something like this:
class ApiClaims {
// The user id in the access token
userId: string;
// The email
email: string;
// The plan type
planType: string;
// Other claims from the token
// Other claims from product data, eg user roles
}
RESOURCES
If interested in this approach, these blog posts of mine may be of interest:
User Data Management
API Authorization
JWT?
You need some kind of API credential that is sent in HTTPS messages and is web and mobile friendly, so I would use JWTs. You could follow the same pattern with any API credential though.
It depends on what you are trying to protect of course, but JWT bearer tokens are an industry standard. Since you control both the client and the authorization server, you can implement it however you like.
I would look into changing Resource Owner Password Credentials flow to authorization code flow. It will enable you to use social authentication providers like Google or Facebook to sign in users (while still maintaining plan info in your own service). Chances are that people trust those companies more to keep their credentials safe than your company, and it allows you to benefit from any authentication features (MFA) those companies implement.
Also, if you want the clients to read the contents of the token, you should use OpenID Connect id_tokens, as those are guarenteed to be in JWT format.
I am quite confused about one requirement that i've received and how to correctly fullfill it...i hope that someone can help me figure out something.
I have to add Authentication/Authorization to an existing MVC 5 intranet application that will be used only by the customer's intranet users. This web app hosts an AngularJs application that uses a set of WebApi (hosted inside the same intranet and used only for intranet purposes).
The application will be used by different kind of users that can have different grants (e.g: can create things, can modify things, can delete things) and those grants must be declined for different Countries (consider the Country as, conceptually, a subsite). So a User can be the "administrator" (considering the administrator as a User with all grants) for the France, but be a simple user for Germany and not authorized at all for the other countries.
The requirement is to use AD for Authentication, but not for Authorization purposes.
I am not an expert of security and i did some research to try to understand the possible solutions. The most important thing i have understood is to separate the Authentication from the Authorization.
From a simple Authentication point of view, it's easy to use AD (or Windows Auth).
What i am missing is how to perform the Authorization part.
I have seen a lot of tutorials for ASP.Net Identity with Individual Accounts, all it's clear and easy, as it's using the UserManager to perform lookups on the db for the users to verify the authentication, and from there take the roles data(saving those info in a cookie).
I need to understand what should be the correct way to handle my scenario.
The user should log in using it's domain credentials, then i should receive a response from AD, if ok i should get the corresponding user from my db and retrieve its role data...correct?
If so, how could i perform those tasks.
Is it a wrong way of solving the problem?
And if so, how can i do that?
What is the best way to "pass" the auth/entication/orization token to the WebApi in order to secure them as well?
One last question...could it be possible to fulfill the requirements by using only AD (not relying on the db for grants)?
Sorry for the (most probably) dull questions but i'm feeling like i am missing some VERY key points.
Suppose I have a working REST API for my product.
I want to give access only to developers who sign up to this product. Also, there will be several plans available so certain parts of the API are not accessible on the free plan.
From the grant types I've seen only the client-credentials one seems to be the closest solution. However that won't authenticate the developer account stored in my product db, it will only get an access token for that client. The user won't actually be 'logged in' per se. Add to that the fact that a single client can be reused by everyone, according to implementations I've seen.
The only way I see is creating a custom grant type, by adding an extra api_key to the client credentials type, which pertains to the developer account.
Is there a way to do this with the existing grant types? Introducing custom types will not work with many oAuth2 libraries out there out of the box and I don't want to give the developers the hassle of modifying them.
I don't think you have to invent a custom grant type.
A single client can be reused by everyone only if everyone knows the client secret.
So, it seems that what you have to do is (1) to authenticate a developer when you issue a pair of client ID and client secret to the developer and (2) to motivate the developer not to reveal the client secret to others.
I have a postgres database and a web app.
The web app allows the existance of users and they do some stuff on the webapp.
I am new to postgres but what we used to do in SQL Server was ActiveDirectory - CreateLogins - CreateRoles etc..
Now in this database is it possible to create a login for each user? or is a table with users (username password) better? or worse?
I was thinking about having 1 login user in the database that can only do specific procedures and see views and just authenticate the user through the table.
Which is better solution?
I think it's better to use the database's built-in role management, as it keeps it DRY. Despite myths, you can still use connection pooling. It makes it much easier to audit, and to use row-level security later if you need it.
Postgres can authenticate users using built-in roles, or using Kerberos, GSSAPI, SSPI or LDAP.
You can sync LDAP users/groups/roles with Postgres:
https://github.com/larskanis/pg-ldap-sync
You can delegate authentication to the web server. Login as the web server role, and then change the user's role, to act as that user, using SET ROLE X. This lets you use connection pooling.
Use one or more roles with specific permissions that access the login tables, along with the rest of the app's tables. You obviously don't want that role to be the database/table owner, to mitigate damage from an attack.
Be sure to use the pgcrypto module to salt and hash user passwords.
Which are the steps must I follow to implement a token authentication in my web page?
Any summary or links will be appreciated.
I want to implement similar to Facebook or Google, first time client loggin and receive token and then use it in next actions.
I read also about OAuth but I don't want to give access to my application from 3rd party.
Thanks for the long response and it seems clear to me I need to read more about this.
What I want is to know the "steps" to implement a basic web application that uses token authentication. That is user logging once and then can make some actions: add content, edit, etc.
I know what I'm saying is similar to a session, where server adds a SESSION_ID on the HTML header and later request are identified and associated with that session. I read sessions way isn't good to scale so I want to implement a similar system like gmail or facebook before they go to OAuth. Probably I'm talking about something similar to oauth (i don't read in much depth) but witj two-legged instead three-legged.
You should think about your requirements, pick an appropriate protocol and some decent piece of software that implements it.
It's really hard to say more without more details:
are you talking about authentication for one or for multiple web applications? do you need single sign on between different web applications?
should all user data be stored on your server or should user be able to login e.g. with the google account?
should the token contain informations about the user?
on what platform are your applications developed?
what authentication method should be used?
do you want to realize a portal?
There is a really wide range of protocols and tools which might or might not fit to your requirements:
http://en.wikipedia.org/wiki/Category:Authentication_methods
http://en.wikipedia.org/wiki/Category:Identity_management_systems
I personally like CAS ( http://www.jasig.org/cas) for token-base SSO between multiple web applications. It's Java based but also has some support for PHP and .Net.
OpenID is fine, if you want to allow users to login with their Google, Yahoo, whatever account (configurable...) and don't want to store user information by yourself.
Kerberos/SPNEGO is the way to go if you want to haven integrated windows-sso for your corporate intranet applications.
For university applications SAML/Shibboleth probably is best. Outside universities it's somewhat less popular, probably cause it's a fairly complex protocol.
Oh and I almost forget: Most of the web frameworks/standards have there own version of plain-old "form based authentication". Where a user goes to a login form enters its username and password. Both are with or without SSL transported to the web/application server. The server validates it against some kind of database and gives a cookie to the user, which is transmitted and validated every time the user sends a request. But beside all this shiny protocols this seems to be pretty boring :-)
And before doing anything with web authentication, you might think for a moment about web security in general ( http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/ http://www.eff.org/files/DefconSSLiverse.pdf) and what you can do to not make it even worse on your site ( http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf).
see your point.
On the protocol level a very simplistic token approach is HTTP Basic Authentication. But this often doesn't fit, as there is no logout function etc.
A custom, simple cookie based approach can for example look like this:
The server generates some kind of secret (a value that is hard to guess)
When a user tries to access a protected resource, he is redirected to a login form
after successful authentication he gets a cookie. This cookie contains three values: username, timestamp and a hash of {username server-secret timestamp}.
with every user request the server recalculates the hash values and compares it to the value which the client sends in its cookie
(needs more consideration of: httponly and secure flag, transport layer security, replay attacks etc)
Amazon S3 stores its authentication token in an HTTP Header and uses HMAC for calculating it. It's described here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?S3_Authentication.html (Not necessarily recommended for using with a browser based web application)
If there is a book about REST anywhere near you, you may look if it has a chapter about authentication. Probably things are much nicer explained there than here :-)
There are some frameworks which are capable of doing this kind of authentication. For security reasons it would make sense to check them first before implementing your own stuff.