I am Java developer and my customer wants to make web application using CKAN.
But he wants too many functions more over CKAN offers or not corresponds with CKAN's architecture.
So I decided to write Java program which has functions that customer wants and calls CKAN's RESTful API using Apache HttpComponent
But I encountered authorization issue.
Because my To-Be system will works without login to CKAN, I have to know users API-KEY when I call some apis need authorization.
But I can't get API-KEY unless login CKAN site(right?) and I think that getting someone's API-KEY by another way is nonsense.
If you don't think so, could you tell me how to get users API-KEY?
I also considered another way making all objects need authorization public.
But some apis send authorization error when I don't put API-KEY in Http header whether the object I intend to handle is public or private
Because of these reasons, development is been delaying.
Could you give me some advice?
The only way to get a user's API key is for the user herself to login to the CKAN web interface and go to their profile page.
If you're writing an API client, the way a client would normally work is to ask the user to enter their username and API key, either in a configuration file or into a GUI.
Related
i'm just trying to authenticate moodle with user key authentication using this plugin. but i'm not sure is this a safe way to authenticate users because this plugin only check whether the user name exist in the moodle database. and anyone can guess the user name and send post request to the end point and it will give you the authenticated url.is anyone know how to make this more secure? or is this way not safe?
From a quick look at the plugin, the one-time URL is created by calling a Moodle webservice. That webservice call is only available to users who have been authenticated via a private token (that would be stored securely on the server that is making the webservice call to retrieve the URL).
As long as you don't give out the private token (e.g. don't include it in JavaScript sent to the user's browser) and as long as you don't grant general permission to generate login URLs, you should be fine.
Disclaimer: I am an experienced Moodle developer, but I have not reviewed the code in question, only the basic principles involved.
I have a JAX-RS application deployed under tomcat and a mobile app.
I would like to know how to make the webservice usable only by the mobile application, in other words, allow access only for a given application
When a request comes in across the internet, there's not really a safe way to be sure what application sent the request. Applications can identify themselves however they want. You could, if you want, attempt to hide credentials in your application, somehow, and have it log in with those credentials. But if anyone discovers those credentials, they can write a program that uses them to pretend to the your application. The problem is that you cannot count on any control over the client system. The client system can always be altered to pretend to be something it is not.
From my perspective, you can add username/encrypted password in the invoke request, and then compare it with the ones saved in the server side
If you really want to, you could implement some form of cryptography. For example, the JAX-RS service can send a 401 forbidden and provide a nonce for the client to sign with its private key, and then send back to the server in the Authorization header. Otherwise, stick to HTTP authentication. If you are communicating via HTTPS, you should be fine with basic auth.
Currently, I'm working on a REST API which will be available for public clients but also I wanted to use it in my mobile application.
For the public clients, I considered to use the Clients Credentials grant, in this case, they would have to registered their app in my Web application which will give them the client key and client secret, then, they could request the access token with them and also I could know the user related to the credentials
But with my mobile application, I'll need to have a sign in section where I would need to use Authorization Code grant in order to secure my data, but I'm not sure if it's necessary.
Based on this, I have a couple of questions:
1. The Authorization Code grant it's the best way to do it?
2. It's a bad practice to have two authorization flows in the same endpoint?
3. Dropbox, Twitter, etc...all of them have REST API, how do they manage authorization in their own apps?
Thanks beforehand and sorry for all questions
I managed to solve this with two alternatives and for the moment, I'm going with the first one.
Create an Authorization server with a parameter that indicates what kind of Authorization Grant it's asking to use and in this way I can decide which kind of flow will follow based on this. I follow the OAuth 2.0 Spec for this using the correct names and parameters to pass in order to have a good way to authenticate our clients and applications.
Create an API gateway where I can send all the authentication requests for my API's using Node.js and in there it will be decided which API it's asking for authentication and with kind of Authorization Grant it's using. You can have more information about this in here:
https://www.nginx.com/blog/building-microservices-using-an-api-gateway/
I'm writing a Web API for my users to access their information on my site. However, I'm not sure what type of authentication I should use for such a task.
Here are my intentions:
One of my users develops an app that needs information on their account from my server. He sends me a key and I verify that he's a valid user.
There shouldn't be any 'middle-man' apps that are doing anything on the user's behalf. Just the owner of the account. Currently, I'm using a system where I hash a GUID and the user sends that string to me. I decrypt it, and check my database for that key.
I'm not sure what this method is called, but it seems to work. Does anyone have a better solution that I could use that (probably) better uses web standards?
This question screams: OAuth.
http://oauth.net/2/
More details:
OAuth is an authentication protocol that allows you to approve one
application interacting with another on your behalf without giving
away your password.
Taken from: http://blog.varonis.com/introduction-to-oauth/
Let's say I have some Web API and I want it to use only the users who know the password. And I have a URL like this:
GET http://api.example.com/v1/dog/123
I don't need to much security here. So, it is secure enough to just supply a password like this:
GET http://api.example.com/v1/dog/123?password=myPassword
Of course, it's a plain text and a GET request which is not secure at all. But I can't use https for now (if it would help).
What are the other option for decent but not complicated authentication?
It seems that an explicit user login would be in order. Once the user is authenticated, authentication cookies in the GET request allow access the resource.
If you web service is in Java, the J2EE container takes care of all this for you. See the following tutorial: http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html. To sum this up, the application server provide protection on a per-resource basis. The server also allows you to chose from multiple methods of authentication (form, basic, ...).