Worklight 6.1 documentation identifies that "credentials" such as password can be added to the user identity object (UIO) provided to WL.Server.setActiveUser().
How & where is the UIO stored on the WL server, and is this considered a secure storage?
Trying to understand the security implications of storing password in this structure to be retrieved and used for subsequent back-end access (Cloud) requests. If not secure, can encryption be applied to the any part of the UIO?
Appreciate any advice you can provide.
The User Identity object is kept in memory and is scoped to the current session.
In other words, the credentials are not persisted; one would need to dump the server memory and dig through it or connect with a debugger. It's considered secure. The production server is also supposed to run in a secure environment with limited access to the process, etc... of course.
The credentials stored in this object can be used by the adapter to authenticate with a back-end on behalf of the user.
In a HTTP adapter, the authentication schemes Basic, Digest and NTLM use that technique
In non-HTTP adapter and in custom authentication schemes, the developer can use those credentials as necessary.
Related
I have two questions :
1- Does the MobileFirst ver 7.1.0 provides encrypt functionality on the client side and decryption on the server side?
2- I need to pass username/pswd to the database through an adapter call. From client when I call adapter and pass these credentials it goes as a query string. How can I hide these while send it to server-side adapter?
Does every mobile user have his/her own username password for the database? If so this is not ideal design. The database credentials must be held in the adapter's xml and the user must be authenticated to MobileFirst using security tests and login & authentication modules.
If you still go by your original design, you can use Java adapters to accept credentials from the user through the payload of the call rather than query parameters. See https://www.ibm.com/support/knowledgecenter/SSHS8R_7.1.0/com.ibm.worklight.dev.doc/devref/t_impl_java_adapter_JAXRS.html
Having done this, make all your calls over HTTPS for the traffic to be encrypted during transit.
I am implementing login within a new native application (iOS and Android) and deciding on the kind of authentication to adopt. There are some quite clear guidelines around OAuth that state that this should be done using an external agent (browser) and this leads me to Authorization Code Grant with PKCE
https://www.rfc-editor.org/rfc/rfc8252
Implementation here: https://appauth.io/
However, my designers and product owners are sceptical. They dont see that kind of login very much (they dont like the address bar) and want to explore the Resource Owner Password Credentials option. Essentially direct login. Their argument is that it is simple and familiar.
I dont want to compromise security and as such I am resisting this option. But... I have read some articles that seem to suggest that this could be secure if I dynamically generate the client used for the auth request:
https://www.rfc-editor.org/rfc/rfc6749#section-10.1
The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication. The
authorization server MAY issue a client password or other credentials
for a specific installation of a native application client on a
specific device.
This is backed up by AppAuth documentation here:
https://github.com/openid/AppAuth-Android#dynamic-client-registration
https://www.rfc-editor.org/rfc/rfc7591
Am I interpreting this correctly? I am considering initial user registration in-app that returns an access token that can be used to dynamically generate a client (with secret) that can be used for login using ROPC.
I am thinking to be secure then this dynamically generated client should only be used for login for the single user - one client per user, but maybe one client per device is also secure enough.
It seems a little 'hand rolled', so I am nervous. Am I right to be so?
Just found out that the basic workflow for token-based authentication is as follows:
User requests access by providing username and password
The application validates the credentials and returns a token to the client
The token is then stored on the client and sent with every request henceforth
The server then validates the token and returns private data as a response
Now, I understand the flow more or less, however, I'm having issues with the terms application, client and server. I understand the term server to mean where the API is stored... which is also part of the application. But the application could also be anything from a web app to a mobile app on various platforms... a client in other words.
So isn't it true that the application includes both the server and the client. So what does it mean by each term exactly, in the above context?
On second thoughts... I guess the original token is being generated on the server side, and this is then being returned to the client. Is this true?
Those terms terms are pretty overloaded in software development, so it's always difficult to nail down the exact meaning without focusing in a very specific context. Bear in mind that even authentication can be seen as a very broad context.
I would rephrase your proposed workflow to the following:
User requests access by providing a set of user credentials (we don't have to use passwords all the time, see passwordless authentication out of curiosity).
The authorization server validates the user identity and, if valid, issues an access token.
The client application from which the user started the process receives and stores the issued access token.
The client application calls into a resource server using the access token in order to obtain user associated resources.
Damn, now we have even more terms, but let's try to fix that by providing some definitions.
First, the ones more generic:
Client: An application that obtains information from a server for local use.
Credentials: Usernames, passwords, email addresses—any of a variety of means for communicating parties to generate or obtain security tokens.
(source: Auth0 Identity Glossary)
Then definitions within the context of OAuth 2.0 and/or OpenID Connect:
Authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
Client: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
(source: RFC 6749)
It's not even useful trying to define application, but what we should conclude from the other definitions is the following:
As you said, a client can range from web, to mobile to event server-side applications.
The role of the authorization server and resource server can be played by the same component, for example, a Web API that has an endpoint protected by HTTP basic authentication that can be used to exchange a pair of username/password credentials with an access token and then all the remaining API endpoints are protected in such way that only allow access if you provide that access token.
Finally, one final note to clarify your last question, yes, the creation of the access tokens need to happen on the server side because the creation of the token will be accompanied by some kind of mechanism that will ensure that the token cannot be tampered with and was in fact created by a very well-know entity. For the case of JWT's this mechanism consists of signing the token which is accomplished by having the server know a secret that no one else knows.
I'm currently using Thinktecture's Identity Server as a security token service to handle the issuing of tokens based on username and password claims. This fits perfectly for a scenario where the authenticating client is an actual user authenticating against a web application for instance, but I'm now interested in scenario for when the authenticating party happens to be an independent process on the server that needs to establish a security token to pass to another server process. I'm ideally after a few pieces of advice here:
1. Is this a valid approach to authentication for server processes communicating with each other?
2. What if I were to move one of the server processes to a different machine talking across a TCP boundary instead perhaps? Is this approach still valid.
3. What ClaimTypes would I use for authentication of the process? And is the Thinktecture Identity Server happy to authenticate against these? I assume I'll probably have to write a custom authentication extension to it to do so...
Thanks very much,
Clint.
One of IdentityServer's authentication protocols is the "simple http" -- you pass in credentials and get back a token. This might be what you want.
Oh, there's also the WS-Trust endpoints as well.
Is it possible to instruct the jabber/xmpp server to delegate authentication to another module? We are building an internal application using XMPP and it would be fantastic if we could let users keep their standard username/password that they use in our web-apps. The web-apps are currently hashing passwords, and so the passwords in the DB are not stored in plain-text form. It would have been easy to share passwords across systems if this were not the case, but then, of course, storing plain-text passwords in the server-side database is a big no-no.
Ideally we could just tell the jabber server "hey, just pass off your username/authentication request to here" and have some other process running (perhaps even just an xmpp bot?) that handles authentication.
We are currently using ejabberd as our server, which I believe is written in Erlang. We're not tied to ejabberd though. I know that XMPP is huge, and largely extensible - but I haven't found anything about extensible authentication on the server side.
I found this on the XMPP website, but that appears to be the protocol for negotiating authentication between the client and the server, not the actual authentication mechanism on the server.
Any pointers on how to merge authentication schemes between an XMPP server and our other systems?
ejabberd has multiple ways to authenticate. You can use LDAP, for example, if you have an LDAP server for your organisation. This works at my company, and provides a single log in for our wiki, ticket system, etc.
Have a look at the section on authentication in the user guide.