A few days back I started learning ColdFusion 10 REST APIs. It was very intresting and easy to implement. But now I just want to implement authentication and authorization on my sample APIs. I have searched a lot but not found much useful info on Google.
It may sound like a very basic question, but as I am completly new to REST: Could any one please suggest how to implement authentication on my ColdFusion 10 REST APIs?
My initial thought is to have method named authenticate() on my REST enabled cfc, which I will call from all other methods or resources to authenticate the users. I am planning to authenticate the users by their username/password. Is this the correct way to implement?
The way I've seen it in most languages would be to have a base class that takes care of the auth check, usually the presence of a token in the url that matches something against the user in the db for active session. Then for all of your rest classes, just extend that base class, which is easily done with CFCs in ColdFusion.
Good luck on your implementation!
Related
I want to create a custom API that behind the scenes, call number of other APIs which use OAuth 2.0 for authentication. I want to manage this internally so that my custom endpoint somewhat abstract this.
Or to begin with I want to do what app like buffer (https://buffer.com) do - where you connect to different social services and than post your status.
How can I achieve this in .NetCore ?? I don't want to login with these (a lot of samples are catering this scenario), user login is different than this. I just want to establish these connections (like API Connections if you look at Azure API Management) and then perform some operations against those endpoints.
I hope i convey my point. please let me know if this isn't clear.
Thanks
Sanjay
OAuth2 systems are all based on the same workflow.
here's an authorization url, you pass some ids in an authorization header, if everything is correct you get a token, you then use the token to do whatever you are allowed to do. What changes are the credentials you use for authentication and the urls you hit for the various parts of this workflow.
You could write your own OAuth2 library which deals with all this, that's pretty much what I did and simply changed the details for every specific system I had to interact with.
This being said you can always use one of the existing implementations to connect to the various systems you care about, they all have an API you could use, all you have to do is make sure you follow the OAuth2 flow correctly.
I have a JSON REST API written in Symfony 2.7, and I want to authenticate & authorize users. This is my first time doing this, so I have some doubts/questions.
For that, I thought several methods:
User & password, and then save a session in the back end
Same as 1), but add an "apiToken" (randomly generate when user register) and then sending back & forth the apiToken in every single request to check user identity.
Use OAuth (which I'm currently reading about it).
I read that using OAuth for a simple API is like an "overkill", but on the safe side it sticks to standards and also allows me to use it when using my API with mobile devices and different platforms.
Also, I don't know too much about security flaws of using method 1) or 2).
I know this is maybe based on opinions, but I don't know any other site to post this question, as Symfony official mailing was shut down and migrate here it seems.
As you seems to know, your question is too opinion based.
If I can give you some advices (too long for a 600chars comment),
OAuth is powerful, but so much free.
I mean that you can easily implement it sort as everything works well while having a set of potential security issues without being aware of their existence.
Libraries and bundles providing OAuth are hard to maintain because of the new security issues regularly found.
On the other hand, if you need the benefits of OAuth (be a client and/or a server, compatible with the most part of social networks), go learn OAuth and do your experience with it.
Otherwise, use a simple credentials/request token two-step authentication.
See the JWT Authentication tutorial by KnpLabs,
Symfony Guard Authentication by Ryan Weaver,
and the great LexikJWTAuthenticationBundle, easy to implement and to use.
I am using asp.net web api 2 and developing an app which is to be hosted on intranet. So the authentication needs are very basic / minimal. I have some custom table where I store registered user's username/password. Using that I need to validate user.
As far as I understand OAuth is for using authentication from google/facebook/etc. Forms authentication is used with asp.net mvc. So what kind of authentication should I implement.
I have googled around but all I found are OAuth example. But how can I do very basic/minimal authentication implementation.
I know its a duplicate question, but it would be great, if someone can guide me to a link which can start from basics like how to read Authorize header, how to create/when to set IPrincipal, etc...
EDIT
there is no legal/regulatory requirement. also single sign on or windows login is not a choice. so just need to stick with a simple table with username/password fields.
just want to know the most basic way to include authentication/authrization in web-api app.
I recently answered a simliar question, see here: https://stackoverflow.com/a/26757636/849507
Since you already have your own table with username and password, the first two parts are for you. You can ignore the angular parts.
for the future users, if you are looking at the most basic & simple implementation, please have a look at SimpleOAuthProvider as shown in here. Its the most basic and simplest one to implements and uses token auth, which is good enough of most of the use cases.
Please do replace the AccountsController and AuthRepository with your custom implementations.
We have a large high traffic site with a lot of data on it (similar to Kickstarter), and we want to provide to our content/project creators a means of pulling their data from our site via an API.
Someone suggested I use OAuth, however my experience with OAuth is limited to setting up a twitter datasource.
What I want to do
Provide a user an Application ID and a 'secret'
Allow this user to connect to our application via an api endpoint, authorizing themselves using the api ID and secret
Once verified, allow this user to pull only their data from the application
The data that a user can pull: votes they have cast, pledges they have made, purchases they have made, projects/ideas they have launched, data about those projects/ideas (votes/purchases/orders/cancellations etc)
My question is:
Is OAuth overkill?
Is there a better way to handle a user/users website to connect to our API and pull/verify certain data by using the API we make available, while requiring each incoming request to be authorized for the user/site initiating that request.
Ideally, we will have an endpoint that is accessed as:
https://api.oursite.com/request/params
We want this to be as simple as possible for our users that wish to implement this interface. Thanks for your help!
Generally it's OAuth, in combination with SSL. That's the standard and is likely to stay. Before we saw also logins: username + password to access an API but that's becoming less and less.
So the suggested way is OAuth. There are no serious other solutions yet. To make it easier to adopt your API you could release some classes in some development languages so developers can have a quick start. You could start releasing those classes at for example GitHub to raise adoption of your API and get a quick access to developers. They might, if you do well, even start improving it.
Not sure if the title of the question expresses good my problem, so I'm going to do my best to explain it here:
I'm writing a RESTful api using php and Restler. Now here comes the problem:
There are some services that I'd like to protect, that is, know if the user requesting that service has enough privileges.
All the services that I'm implementing have to be consumed using javascript, so the traditional method user/password won't work beacause everyone will see that!
I'd also like to limit the amount of requests an anonymous user can do, like twitter does with the search service.
What can I do to expose my api to everyone, but only let users with priveleges complete their requests?
I stumble with this post: REST authentication and exposing the API key but at the end, no solution was provided.
I'm very open to any alternative: like OAuth. I would like to use something that integrates well with restler though, but if that is not the possible, then its ok.
I've seen a lot of info, saying that an api key would do the work, but since I'm using javascript, how can I protect those keys from being used by other users?
Update: Restler 3 is released with hybrid access support using #access hybrid comment and is available here!
Just in time with the right question :)
Your question has two parts
1. How do I do hybrid access (both public and protected access) with Restler
Restler 2 does not support hybrid access, but Restler 3, which will be released in August 2012 (this week) will support hybrid access, exactly built for your use case
You can follow the development at twitter and/or facebook
2. How can I protect my API when the primary consumer is JavaScript
For simplicity you may use HTTPS with Basic Authentication or HTTP with Digest Authentication
Another alternative is described in this article. It is not written specifically for Restler but it is easy to adapt to Restler. Let us know if you need help on that