I am new to backend development and I need to implement an express app that has two different type of authentications, say user and admin, they are on different sub domains so I am configuring separate passport config files for each of them using passport instances both using local strategy but there are some issues like
Error: Unknown authentication strategy "local"
How should I configure my passport.js files for each of them.
Can anyone help?
I created separated instances of passport for each, I can't seem to properly implement the code for each instance.
Related
I currently have an API running on Nodejs Express where you can get or upload all types of files (images, videos...) as well as simple json responses.
I would like to connect Sveltekit to this API but it is secured with a SSO so I need to provide an access token for each request.
I already get the access token from the SSO (oidc) on sveltekit.
Solution 1:
a service workers intercept requests to the API and add the access token.
Problems: I don't want to build every time but as the documentation says: service workers only work in the production build, not in development
Solution 2:
send requests to the svletekit backend and then pipe them to the API with the access token
Problems: Works only for basic requests but not for stream, it seems that it is supported recently (https://github.com/sveltejs/kit/issues/5344) but there is no documentation or example and this solution requires more resources (requests should be from the browser to the api)
Solution 3:
Hooks externalFetch
This function allows you to modify (or replace) a fetch request for an external resource that happens inside a load function that runs on the server (or during pre-rendering).
Problems: It doesn't work for requests like the src of an image
Any idea ?
edit: Solution, with the new version of sveltekit node-fetch has been replaced by Undici and the streams are functional, so it is possible to pipe requests from the backend.
For the dev it work well but it's not the best solution for production so you can use both depending on the environnement.
We would like to provide a multi tenant application that identifies the tenant based on a subdomain. As authentication server we use Keycloak, in which each tenant has its own realm.
Now we want to authenticate all requests to our application using a auth proxy. If the request is already authenticated (it has a cookie), the request should be forwarded to the backends. If the request is not yet authenticated (it does not have a cookie), the request should be forwarded to Keycloak and to the correct realm based on the subdomain and an oAuth flow should be initiated. After successful login, a cookie should be set so that all subsequent requests are authenticated. This is exactly the functionality offered by oauth2-proxy. However, we have the further requirement that we have different realms that map the individual tenants. This is not possible with oauth2-proxy at the moment.
Is there another solution besides oauth2-proxy that offers this functionality (possibly Nginx or a plugin for it)?
Thanks
OIDC PLUGIN
You could use lua-resty-openidc with any Lua based Nginx system, eg Kong or OpenResty. This is an established plugin that does the same job as oauth2-proxy. You can have multiple instances of it configured, for different paths, representing different tenants:
location /tenant1/ {
rewrite_by_lua_block {
var opts = ...
local res, err = require("resty.openidc").authenticate(opts)
}
}
location /tenant2/ {
rewrite_by_lua_block {
var opts = ...
local res, err = require("resty.openidc").authenticate(opts)
}
}
There are also various ways to look at input criteria, such as an origin header and re-route accordingly, which can be useful sometimes, though there is a learning curve.
DESIGN
I would question your design a little though. Multiple realms effectively means your apps need to deal with multiple authorization servers, which is a complex setup. Eg APIs need to validate multiple types of access token.
If possible, prefer a solution where you use a single authorization server and simply add a tenant ID claim to access tokens, then ensure that APIs deny access to tenant 2 data for users from tenant 1.
This related answer on multiple realms for a single application also discusses some trade offs around how data can be accessed.
We have a vue-cli app that will have approximately 5 different access rights. I was thinking of having 5 different builds of our vue-cli script and reconcile on the server and via the API. We obviously don't want an end user snooping through chrome dev tools at the routes.
What strategies have other people used to handle this? We will obviously also be handling authentication on the server.
edit 1
we will be checking on the server authentication and authorization. The question is about limiting routes snooping on the client side; not a security risk but an unnecessary information leak
I have two modules authentication in one module somehow overlaps authentication in another module...hasIdentity method always returns true for the another module if authentication is succesful in one module and so the user can log in another module without being authenticated the same problems existes with logout logging out logs out from both the module....it appears that authentication service instance is being shared amongst the modules which is creating the problem.
It is not uncommon for ZF2 authentication modules to store the authentication service in a key authentication or Zend\Authentication\AuthenticationService inside the service manager.
If you are mixing two authentication modules inside your application you have to make sure you separate the authentication service logic properly.
Without more details it is impossible to advise you more. Read also here for more information
I would like to limit access to some resources provided by my apache server. e.g. images and videos. The main web-application managing the users runs on ruby on rails.
Now I would like to let apache check whether the access request is valid.
The user should provide an authentication token, he received from my rails app, so apache can grant or reject the access to the files.
It would be best, if the request could look like this:
http://myserver.com/filexyz.mp4?token=jhg987gojhg876
Are there some approaches for this?
Maybe an nginx module?
The module http://code.google.com/p/mod-auth-token/
does exactly what I was looking for.
The rails app and the module share the same key for token generation, so that the access to a resource can be restricted outside a time window and to a specific IP.