Is there a way through the Stormpath API or their UI to set a maximum number of password retry attempts? Or does this retry count need to be managed on my web server during any authentication with the Stormpath API?
The Stormpath API does not yet provide this as a feature, so this is something that would have to be managed by your web application. However the Stormpath API can help you, because you can store the state in the account's custom data object, so that you can keep track of how many attempts have been made on that particular account.
I hope this answer helps!
Related
my application requires an authorization code grant flow integration with Cognito and the website responded to me that Auth-Code accordingly.
https://<poolName>.auth.eu-central-1.amazoncognito.com/login?client_id=<clientID>&response_type=code&scope=email+openid+profile&redirect_uri=<redirectURI>
Now I want to know what email address has logged in. As fas as I understood, this is where I would need the JWT token.
How can I query the email adress of the token I have just received?
Any help is much appreciated!
As I was going through that, actually, I still am. I have talked a lot with Amazon Engineers for past weeks, have done a bunch of research on my own and let me clarify couple of things.
Hosted UI is a way to go if you can accept the limitations. This is after all hosted ui, you can only change that much. BUT (!!!!) and I can not stretch this enough: it works only for simple usage. If you start searching you'll see that it doesn't support CUSTOM_AUTH flows which is extremely useful if you want to implement even something as basic as MFA. So if you dream of Revolut-like login page with just phone number email verification - pity, hosted ui will not help.
Hosted UI is more than just UI! It's a whole server! That's why you can't simply replace it.
Now, as we established what hosted UI can't do. What are the alternatives? Of course, you can use other providers like Okta or Auth0, but I assume, you're here because you want to use AWS. But the recommended (by AWS) alternative is to actually implement your own authentication using Amplify SDK. It's quite simple to use, I must say that. But what they don't tell you explicitly, is that it's no longer OIDC flow. Instead, AWS suggests to use their custom flows, such as USER_PASSWORD flow or SRP (Secure Remote Password), where password doesn't fly over http(s) at all.
You might ask: can't I have OIDC with Cognito AND custom flows? Well... you can, but it's not that simple. Long story short, you can use both hosted ui and amplify and possibly create your own cool SSO. For details look at their github page where AWS Labs go through some details.
If you can't afford spending next 2 months working on SSO, but you don't necessarily need OIDC flow and get settle for another solution, you can easily go for SRP or USERNAME_PASSWORD flows.
If you're like me and you're migrating from the old legacy authentication system done... wherever (;)), go for USERNAME_PASSWORD and utilise user migration lambda trigger in Cognito, where you can automatically migrate users once they login with their old credentials! Neat
AWS Cognito is full of traps... Consider that as well
First, make sure your Cognito client includes the email OAuth scope. User Pools > my-user-pool > App client settings > Allowed OAuth Scopes.
Then, decode the id token and you will have the email. You can use JWT.io to quickly decode tokens for testing and development.
UPDATE: You can use the POST /oauth2/token endpoint to fetch the tokens. But in general, if you're creating a frontend for users, it's better to use someone else's UI. The Cognito hosted UI works, although it looks a bit dated and it doesn't support MFA/TOTP. The modern approach is to use the Amplify UI Authenticator component, which supports TOTP and all the flows you'd expect (sign-up, password reset, etc).
I have a question about fusionauth and its 2FA API.
we want to use 2fa in our app but only under some circumstances and not on every login.
I found that there is API to send a code via SMS but I can't seem to find an API to verify it.
can anyone help me?
I looked at the docs and there is only send and enable/disable no verify, can it be somewhere else?
The API does support a trust mode, but there is not currently a separate API for selective 2FA.
There is not an API to validate the code, instead you utilize the Two Factor Login API to complete the login process. This implicitly validates the code.
https://fusionauth.io/docs/v1/tech/apis/login#complete-two-factor-authentication
i am new in PWA and i was wondering if it´s possible to authenticate a user offline. I mean that if you can have a file in the local storage with the information of the users to perform the authentication.
This file would be saved for the first time that any user authenticates with an internet connection, to then allow the authentication of any of the other users offline. Is it possible? Is it safe?
Any advice please? Thanks
You could not actually authenticate them because that would require hitting an identity service like Auth0, Cognito, etc.
Hoever....(modern tech is great)
If you leverage the Authn authentication you could hook into device authentication like Windows Hello. I will be honest this is way more difficult than it should be IMO. But the actual verification is done all on the client (way too deep to cover here).
But....
You wont be able to get an authentication token from your identity service since you are offline, just verify the identity.
Now to deal with the coupon that would not require actual authentication that you could do. As far as applying it to an online purchase you would of course need to be online to complete that process. But you can cache the transaction and sync it up later.
I hope this helps. It is not a short answer sort of question :)
Currently, I'm working on a REST API which will be available for public clients but also I wanted to use it in my mobile application.
For the public clients, I considered to use the Clients Credentials grant, in this case, they would have to registered their app in my Web application which will give them the client key and client secret, then, they could request the access token with them and also I could know the user related to the credentials
But with my mobile application, I'll need to have a sign in section where I would need to use Authorization Code grant in order to secure my data, but I'm not sure if it's necessary.
Based on this, I have a couple of questions:
1. The Authorization Code grant it's the best way to do it?
2. It's a bad practice to have two authorization flows in the same endpoint?
3. Dropbox, Twitter, etc...all of them have REST API, how do they manage authorization in their own apps?
Thanks beforehand and sorry for all questions
I managed to solve this with two alternatives and for the moment, I'm going with the first one.
Create an Authorization server with a parameter that indicates what kind of Authorization Grant it's asking to use and in this way I can decide which kind of flow will follow based on this. I follow the OAuth 2.0 Spec for this using the correct names and parameters to pass in order to have a good way to authenticate our clients and applications.
Create an API gateway where I can send all the authentication requests for my API's using Node.js and in there it will be decided which API it's asking for authentication and with kind of Authorization Grant it's using. You can have more information about this in here:
https://www.nginx.com/blog/building-microservices-using-an-api-gateway/
One of requirements for implementing a REST Api is that the client has to send the required state information every time to the server to handle a specific request. Assume authentication is in place and I'm successfully authenticating users to use the rest api, which means with every request i'm verifying that user has rights to access the api.
What if I have multiple users and each user has a different access right. So each user can only call a different set of webservices. I'm wondering how this is normally handled by the server. I figure the only way to do this is to check the authentication of each user(via a password hash code,etc) with each request to verify that he has access rights to the requested service. If that is correct then what are the recommended ways of handling authentication of multiple users in such a scenario?
I'm using flask to develop my api, so any specific suggestions will be much appreciated :)
Thanks in advance.
Authenticate a user first by username and password. Return back a token or hashcode.
Prior to any action you take on the servers api, check the users permission by using the token.
You always want to check permissions on the rest api. They can all make the call to the api. Their permissions is what will determine if they can or can't do the request.