I've just started Windows Phone app development. I'm using the Live Connect API and I am confused about the credentials. When I configured my app in the Live Connect Developer Centre I was given a ClientID and a Secret. However I don't seem to have to use the secret in my app, but I can only regenerate the secret and MS says "For security purposes, don't share your client secret with anyone." What's to stop someone who has the ClientID spoofing my app?
Yes, ClientID is not taken as a secret. Nothing serious can be done only with Client ID.
The Secret is required in important scenarios, like when you received a Windows Live authorization token, then you want to use it to get other tokens in order to access the users' OneDrive storage, you need submit your Secret together with your ID to the Live Server.(this is the Live Connect authorization flow)
Please read this article
Related
I'm using an external service called auth0 in order to get an access token and let my users use my api. Auth0 is using Oauth2 protocol.
In short The user adds a username and a password, I'm doing a call to auth0 by using a client_id (apps have an id) and client_secret and I get an jwt access token in return. Then from there I carry this access token to have access to my own api since I can check its validity.
I have been looking around about how secure it is to store client_id and client_secret on the client side (e.g. web (javascript)/mobile (native or hybrid with ionic)) and everybody was saying that it's not secure since everybody can reverse engineer the code and get the client_id and client_secret. Ok...I can take it...what Can I do with them if I don't have credentials in order to get the access token?
Given that I don't want to store the client_id and the client_secret, one solutions I have thought is to make a direct call to my api (Java) with the credentials and then my api make a call to auth0 and return the corresponding access token. In this way the client_id and client_secret is stored in the backend and somebody cannot get them easily. Is that safe?
However I have some endpoints, e.g. creating use account, sending sms for phone validation etc, that cannot have credentials. How do I protect the api in such case? If I can't store my own access token on the client side how could I get an access token and access my own api without credentials?
Thanks
One possible solution that OAuth spec suggests is that you could have three different servers for your application.
client-side
backend server and an additional authentication server.
The preferred way of doing this would be that the client would send the user credentials to the authentication server. The authentication server would be a back-end server which contains the client secret
The authentication server will authenticate the credentials and return back the token.
The client will then use the token obtained from the authentication server to access the resource API server.
If you wanna know more check out this video
https://www.youtube.com/watch?v=rCkDE2me_qk
In my opinion you are almost certainly using the wrong OAuth flow. I use Auth0 with Ionic as both a web app and a native Cordova app. I don't have the client secret in my client code at all.
If you follow the Auth0 quickstarts (https://auth0.com/docs/quickstarts), you should be choosing (Native/Mobile App) if you are deploying to app stores, and (Single-Page App) if you are deploying the web version of Ionic. From there you can pick Cordova (for native) or Angular (for SPA). These should give you instructions that implement OAuth flows which DO NOT require your client secret. My guess would be you are referencing a "Regular Web App" quickstart, which runs server-side and CAN safely hold the client secret. That's not the world you're coding in if you are using Ionic Hybrid/Native.
I would consider wrapping the call to Auth0 into your own server side implementation as safe. Your API takes user credentials and then calls Auth0 and this way your client_id/secret are secure on your server and the client can be reverse-engineered all the way without compromising your security.
Regarding the other APIs which cannot have credentials you are pretty much out of luck. Their very use case is to be used by an unauthenticated third party, so at least the account creation API cannot really be protected. However you can still use some nicely designed constraints to limit the attack surface. E.g. you can require an email address/phone number to register and you will not allow the same address/phone number twice. If you set up your process that you first need to confirm your email address before you can validate your phone number this will make the life of an attacker a lot harder. He would need a real working email address, and some automation to receive your confirmation mails before he could get to call your SMS service. You could also rate-limit the service per IP-address so an attacker cannot cause your SMS cost to skyrocket by issuing a lot of calls for SMS validation in a short period of time.
I'm working on a personal project composed of an API and 4 clients (web, android, iOS, windows phone).
I'm using django-rest-framework and oauth2 toolkit on the API side and I wonder which grant_type would be more suitable in my situation.
I read somewhere that the implicit grant_type is appropriate for working with mobile clients.
I'm currently using the resource owner password credentials system.
My current workflow is:
The user creates an account on the API registration page (http://mysite/api/register) then gets redirected on the web client.
The user have to authenticate himself on the API from the web client (the secret and client ID are store in the web client). If the authentication is successful the access_token and refresh_token are both stored in the user session.
Each time the user want to access a page I verify if he is authenticated by requesting the API using his access_token. If the request fails, I retry with the refresh_token. If it's fails again I redirect the user on the auth page.
The user can use the API on a mobile client with the same account without extra manipulations (the secret and client ID are store in a secure location ex. share preferences or keychain)
I like this workflow, it's simple and convenient for the user: he registers once and can use all the clients and I get a perfect separation between the logic (API) and the UI (client). But I'm worried about the security of this system. I don't want to expose my users to threats. Do you guys have any thoughts, recommendations, suggestions?
You help in this matters would be very appreciated.
Thanks in advance!
I am currently using EWS in my application to access Exchange data. I want to add functionality for Office365 using rest api.
With EWS, Authorization was quite simple, just add Authorization tag in header with username and password base64 encoded, I bealive it is called basic Authorization.
But with office 365 the process gets 2 extra steps
On the image above you see that 2 steps are in between my application and office365.
Every office account that will use my application, must do
some configuration steps at Microsoft azure. to get secret key, client it and tenant id.
I would like to avoid that, ideally user needs only to enter his credentials thus I can access all of his data in office 365 programmatically.
Every office account that will use my application, must do some configuration steps at Microsoft azure. to get secret key, client it and tenant id.
If I understand your question correctly, you want to avoid all the steps to configure the client_id, secret key for your app user?
If your app is a browser-based web app, the "Application" block on your diagram actually consists of web server and user/browser. In this case, only the web server needs to pull the configurations from the Azure, client_id, secrect, etc... This being said, the user/web browser only needs to enter his credential, and with implicit consent, you app will have access the the user's data. Such workflow can be described below,
In this case, you app user/browser does not need to pull the configurations from Azure. Only the web server does.
If your app is a native app, when you make a request to the auth endpoint, you app needs to include the client_id and redirect URI in the request. This is shown on the first step below.
In this case, your app user can use the same client_id and redirect URI, you don't need to "force" them to create their own's, so that they only need to input their username and password.
You can find more info on Azure AD authentication from https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/
I recently have implemented GoogleStrategy using passportJS and I am successful implementing it.
But why do I need to registering the app in google developer console and get the clientID and client Secret.
I am not successful in finding why it is needed. Could anyone please let me know why and when is it required?
You don't need both. There are many different OAuth grant types, and many of them do not require the client_secret.
Using the client secret is recommended for server-side apps (where the end user does not have access the client secret) because it is more secure. It is not recommended for client-side apps; those apps can be decompiled, thus leaking the client_secret.
Your clientID is used so that Google can identify your application and allow the usage of Google APIs and services as appropriate. It is all for authentication and authorization so that you can get the proper permissions and accesses to whatever Google APIs and services.
Your clientSecret is used to hold slightly more confidential information, such as your api usage, traffic information, and billing information.
I have a mobile iOS application that I want to authenticate to a RESTful API.
Every user potentially has multiple devices linked to the same account.
So far I came up with the following:
Client-side
Let user login with username/password
Send username/password & unique device id to server
Get authToken from server and set it in the HTTP Authentication header for each API call
On logout, remove authToken
Server-side
API uses SSL
user has many associated devices
devices are represented by unique device id and authToken
each time the user changes password, regenerate all authTokens
if a device is removed, delete authToken for that device
Would that be a secure approach to access the API and manually add/revoke devices?
Yes, this is a fairly standard approach. Google has a document that describes this approach (a majority of the document is geared toward getting the token from the server to the client so that may not be as useful to you). And some more detailed description of bearer token authentication.
You should see if the application framework you're writing the server in already supports an authentication mechanism like OAuth, so you won't have to write your own.