Is there a good way to do secret key authentication for http queries from a salesforce app to my own web server? In other words, I'd like to give each company that installs our application their own secret key. Then each http call the app makes to our server (whether json or just a link to a hosted iframe) would look something like this:
groupid = groupid
param1 = value1
param2 = value2
signParam = signValue
Where signValue = md5("groupid=groupid,param1=value1,param2=value2,secretKey"
Then when I receive the query, I calculate the signature as well to make sure it matches before I perform any actions on our web server. The problem is, I don't see how I can assign and store the secret key for each company that installs our app (that is, have them store the secret key in their installation).
Is there a good way to do this that I'm missing? And if this isn't possible in salesforce, how else do you authenticate web queries before you perform actions in your own server?
Rather than trying to track it on the salesforce side, have the salesforce side send the users sessionId to your webservice, you can then use the API to validate that sessionId get details about the user, and check locally that the particular user/organization is licensed. There's some articles on the developerforce wiki about using this approach.
Related
Let's say that users X and Y authenticate themselves (separately) on a service's REST API, and that JSON web tokens are used for authorization between the client and server. We want to send user-specific data to each user.
Should we ask the user to specify who they are, or should the server detect it based on the authentication method (in this case the payload on the JWT)?
In other words -
Should the API have endpoints that look like this:
GET /:user/resource (for example) /user_x/resource used by user X and /user_y/resource used by Y,
or would it be better to have
GET /resource and then, in the route handler, check the user id (as part of the JWT payload) return data based on the user id?
I'm not sure which of these (if either) is the best approach, or if there might be another way to do it, such as using query strings. It would be great to hear any opinions about this.
Thanks.
The server can identify the user based on either a session cookie, or an access-token. In your case, if you use a JWT, the user-information is usually already included in the token.
So the server should just fetch the information out of this token.
Just make sure, that you check the tokens signature on the backend.
Otherwise, an attacker could just modify the JWT and send a different user-id to the server.
We are in the middle of doing some updates to Cognito for an already in use system. If possible, I'd like to keep the current client IDs and keys the same so that we don't have to go update all the device clients.
Is there a way to manually set client ID and key in AWS Cognito? I was unable to find documentation supporting this.
Unfortunately, Cognito does not provide us the ability to set our own app client IDs or secrets. They are both auto-generated.
If you are constantly running into cases where you need to re-create your app client, I would recommend creating an endpoint to retrieve app client information for your applications given the app client name which can be set by you upon creating of the app client.
You can achieve this through a combination of Cognito APIs.
Use DescribeUserPoolDomain to obtain the UserPoolId given the Cognito domain.
Use ListUserPoolClients to obtain all the App Clients given the UserPoolId. This will give you a list of pairs (ClientName, ClientId). He're you will be able to get the ClientId corresponding to the ClientName you set originally.
Use DescribeUserPoolClient to obtain the App Client Secret given the ClientId and UserPoolId.
Folks:
This is a REST design question, not specific to any programming language. I am creating an application backend that is accessed via REST APIs. I would like to use the same APIs for both UI and API-based access. I am trying to figure out the best way to authenticate users so that I can reuse the same methods.
My current thinking on authentication is as follows:
API Users
These users get a user GUID and a pre-shared symmetric key. On each API request they include additional headers or request parameters that contain:
Their GUID
A security token that contains the user GUID, the current timestamp and another GUI (token GUID) concatenated together and encrypted using the shared key
Upon receiving the request, the server looks at the claimed GUID, retrieves the shared key, attempts to decrypt and verifies the token.
UI Users
These users will make a login request, supplying human credentials (userid/password). Once authenticated, a session is established backed by cookies and further REST calls are secured based on this session.
The Problem
What is the best way to write one REST endpoint that secures both ways: API access and UI access cleanly without too much duplication? I am looking to do the equivalent of the following, but perhaps more cleanly:
#app.route('/')
def hello():
user = None
if session:
user = get_authenticated_user()
else:
user = process_auth_headers()
# Do something with user
I am looking to code the server in Flask, but I am sure the solution will apply as easily to any REST-based server-side framework.
Looking forward to some insights from the community.
Thanks.
We use node for our server, but I think the method we use is pretty common. There are session libraries that express can use, and they can utilize pretty well any database to store session information. They use a cookie with a key that does a lookup on the database when the client comes in. The session data is created when the client authenticates, and the cookie with the client key is added to the browser. The clients GUID is stored in the session, it never leaves the server. We use that info when they hit the server to check if they are logged in, who they are, and what they can do. We have used both FB, (client checks FB, then sends the FB id and token down to the server, which then rechecks and sets up the session or rejects it,) or the old classic, email and password. This works well when you have to scale across multiple app servers, as session is independent of the server, it works for both mobile clients and the web.
I have a SaaS which integrates with SalesForce. I have synced all the SF users to my database so that my local users have a SF user ID stored.
I need to have a custom link in SF which will bring the user to my site and log them in automatically. The wrong way to do this is to pass the SF user ID in the link and simply match the SF User ID to the one I've stored in the database. What is the right way to ensure the referred SF user should be authorized? Is there some token I can put in the link from SF that I can then verify against the SF API?
There are two approaches for this:
Create a canvas app that sends a signed request to your site. The signed request will include the current users session details. You can use these to verify that the user is indeed who they say they are. I.e. They haven't just made up an id and that they came from an active Salesforce session. See Verifying and Decoding a Signed Request. The advantage of this approach is that you can verify the request has been signed with your apps consumer secret.
Its an older approach that isn't really promoted by Salesforce any more as the canvas apps superseded it. Create what was known as a composite app. This was basically an iframe to your external site that could include the session id and server url in the query string (over SSL). With these details you could call back into Salesforce and get the User Id of the session owner.
Incidentally, the Salesforce StackExchange site is a great place to ask Salesforce specific questions.
I need some advices on how to secure my application:
I have a REST service, using Spring MVC 3
I have my client application, using Ext GWT 2.2
Users credentials are available on the server side only.
SSL available
REST services should only be used by authentificated users.
I have read about HTTP Digest , token based authorization, oAuth etc, but I need some clarification and advices on how to secure my application, and which methods are the best in my case.
here is the methodology we created for our applications, works very well, and is very secure.
this is a very conceptual explanation, there is a lot of code that backs this up, FYI
When user authenticates or creates account, the server returns an x.509 certificate, base64 encoded, that is unique to for the user. The server stores a copy.
Everytime the client needs to access the REST API, client creates a JSON string comprised of the following.
The Users Unique ID (UserID)
A GUID or UUID, that guarantees this call is unique,(CallID) (protects against replay attacks)
A Dictionary (collection of Key/Value) of each parameter of the rest call
we then encrypt that string with the x.509 public key, and encode it back to base64 string, and take this encrypted value and add the UserID to a json object we call the token.
we then put the token into header of each call, and call it something like: X-Auth-UserToken
On every call the server takes the token, looks up the users certificate based on the userID, then verifies that the encrypted part of the token can be decrypted with the private key that the server holds for the user.
once decrypted, the server takes the CallID and verifies that it is unique, against its own calllog db.
if it checks out, the user is authenticated.
once the user is authenticated, you can apply your own authorization rules based on the users uniqueID.
of course, all the above is over SSL.
let me know if you need me to drill down on any parts.