If I use JHipster + JWT and log in with wrong data for the first time, I get an error message (this is correct, of course). Unfortunately, I can't find where the authentication(user/password check) takes place.
The client calls'api/authenticate' and lands in the JWT filter. jwt does not yet exist here. And so it goes on in the chain.There are now 12 spring filters, but unfortunately I haven't found the check in any of them.
The'DomainUserDetailsService','UserJWT-Controller' are not called.
Question: Does anyone know where the authentication happens?
Thanks for the answer in advance
It's done in the AuthenticationManager which is built in SecurityConfiguration.java and uses DomainUserDetailsService
This is called when sending a POST to /api/authenticate which is handled by UserJWTController
I suppose you only looked at GET on /api/authenticate in AccountResource.java which is used only for checking that user is authenticated with a token.
Related
I'm kind of surprised that, after searching for this for a while, I didn't find as many answers as I thought would be out there (well I found none), so maybe by asking it here we can help improve search results.
I'm building a REST api which has JWT-based authentication. There is an /auth/login route which returns the token after login/password verification, and the token is subsequently sent in every route in a Authorization http header.
Not, suppose that someone queries another route (say, /cars), without sending the token (that is, before logging in). If I return a 401 unauthorized, I can make the frontend query /auth/login to get the token.
But, strictly speaking, this does not conform to the REST specification, because every resource should be discoverable from the initial one, and a client accessing /cars and receiving a 401 will not know about /auth/login.
So another option would be a redirection like 302. But this semantics means that the resource was temporarily moved, and this is not the case (the resource is still /cars, you just need to authenticate first).
So, what is the correct way to do this procedure in a "true" rest api?
I 100% agree, and that's why I proposed this standard:
https://datatracker.ietf.org/doc/html/draft-pot-authentication-link-01
The idea is that for cases like this, you should be able to return a Link header with an authentication rel, so the client can discover how to proceed.
Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here:
What is the life cycle of code?
Is it for only one-time use?
How many times can a code be exchanged to get access token?
What happen to a code after access token is given for that code?
I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple access token can be generated using same code by that time.
Is it the expected behaviour?
Thanks for any advice.
Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions
What is the life cycle of code?
when the user authenticate using authorication_code flow, the once authenticated and granted access for scopes, an short lived (say 1 minute) valid code will be created and sent back to the redirect uri.
Is it for only one-time use?
yes it must be one-time use for best security, when access token is requested using authorication_code, then either the request succeeds or failed (due to some validation error or server error), the authorization code must be deleted or marked as used(depending how you wanted to use it)
How many times can a code be exchanged to get access token?
One authorization_code can grant only one access token, since the code will be revoked once an access token is issued.
What happen to a code after access token is given for that code?
Best practice, the code can be deleted
Check out google oauth2.0 documentations for better understanding and see how its used.
https://developers.google.com/identity/protocols/OAuth2WebServer
For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release.
Check this discussion.
code is short-lived one-time access token.
once a it is exchanged for a access token, it should get marked as invalid.
for Kong issue its better to ask it here
I'm struggling with an issue here. I've searched repeatedly for answers, but have been unable to find the exact answer I'm looking for. I'm attempting to build a secure authentication method for a REST api. My question is, how do we handle a login for a REST api?
Since a REST api is meant to be stateless every time, does that mean we need to store the client's username/password on the client's end (perhaps hashed), and send it in with every request? I'd be much more comfortable using a system like authentication tokens that are created upon logging in the first time, but does that go against the basic rules of REST, since this technically creates a "state" on the server?
What is the best and most practical method to handle this? As I wrote earlier, I'm struggling to come up with an answer to this; maybe that is due to this problem not having a clear answer, but I honestly don't know.
Thanks in advance.
That's also my understanding of REST: clients send login/password to the server along with every request. The server has to authenticate the client based on this information only. With regard to the Hypermedia principle of REST, having a user logged in is not an application state, in my understanding.
I've looked hard into this article about OAuth Authorization Server with OWIN/Katana: http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
The article does tell us how to set up a basic Auth server but seems to omit a lot of information and code. I'm particularly interested in the implicit grant flow. They did provide the login page and the "permissions" page, but I'm confused:
Where is the code that decides whether the authenticated user has granted the client? This can't be done "behind the scenes" because we NEVER told any middleware "component" the path "/OAuth/Authorize".
Where is the code that actually redirects the user back to the client's website, along with the auto-generated access_token and other values?
I'm suspecting that there is a proper way to "construct" the ClaimsIdentity object (particularly the scope claims) before passing it to authentication.SignIn(claimsIdentity) in /OAuth/Authorize, so that it would automatically redirect the user back to the client with access and refresh tokens.
The MVC Actions of /OAuth/Authorize and /Accounts/Login seem to always return View() even after successful authentication and granting, thus never forwards the user back to the client's website. This seems like I would have to manually determine when to return Redirect(Request.QueryString["RedirectUrl"]);, and figure out the encrypted values to pass along with it. This doesn't seem like I should be generating the exact response.
What did I overlook?
As #(LittleBobby Tables) said your questions are very broad.
Based on how you asked the question you actual understand the topics but not the how?
I suggest you look at the full source code at
http://code.msdn.microsoft.com/OWIN-OAuth-20-Authorization-ba2b8783/file/114932/1/AuthorizationServer.zip
Your answers are either present or will lead you in the right direction
I save tokens obtained through authorization and use them for post and similar requests. However I need to know when to re-login in case of token expiration.
Does scribe throw any relative exception ? Judging by the sources it doesn't but maybe it throws any other ? Maybe you can suggest a better way ?
Scribe can't tell if a token is expired or not. There's no standard way in OAuth for the provider to inform you that a token was valid and now it isn't.
It's kind of logical that it works that way, tokens have a life span and after that they become rubbish. There's no way of differentiating between a just-expired token and a random string.
The only way you can check is (surprise!) making a request and seeing if it works. Your client can keep some kind of state to check wether the request is getting an unauthorized response with a previously valid token and in that case try to reauthenticate but, sadly, there's no way the provider (or scribe for that matter) can make that easier for you. Sorry.