Every place I read about Oauth2 scopes it uses examples of read, write, delete, post:read, post:delete, etc... This always representing "actions", like It was a permission...
I am in a situation that I must implement an API that must authenticate the user but limit user's access to data that only belongs to the same corporation he belongs, this user may belong to "N" corporations.
I came with the idea to use the Oauth2 scopes for that purpose then use Laravel's eloquent global scopes in model to filter the data.
I am stuck and dont know How to proceed. Could anyone give some advice?
There are 2 concepts in the requirements you mention:
Scopes are high level privileges that represent an area of data and operations allowed on that data - they are also static values defined as part of the system design. Avoid attempting to use them for dynamic logic.
Claims are where the real authorization happens, and what most domain specific authorization uses. Claims are just extra fields included in JWTs. In your case an array claim of Corporation IDs could be issued and included in JWTs received by APIs.
These two Curity articles explain this in more detail, along with some real world examples. When done well, the result should be simple code in your APIs:
Scope Best Practices
Claims Best Practices
Related
Is there a way for us to define the policies of a GraphQL API, which is both machine-readable and human-readable, which contains a set of rules (in other words, a specification) to describe the format of the API? I'm not talking about the schema, but of a spec where we can add security-related details (for example, complexity value to be assigned per field and depth limitation values) or any other related details. Any thoughts or ideas? Or can we send all of this within the SDL itself?
For example, for REST APIs, we use Swagger to define information on how to define paths, parameters, responses, models, security and more. Is there a need for a similar approach for GraphQL APIs? Your response is highly appreciated
We are working in an approach to add policies to your GraphQL API and allow you to better manage it, especially as you expose the interface externally.
Part of the challenge is that as opposed to a REST call that can easily be differentiated from others, all GraphQL requests look the same, unless a deeper analysis is performed on the incoming query.
This blog post describes how we perform this analysis: https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
if this is of interest let's connect!
As per my understanding you need a tool to make documentation for the APIs you have build for parameters and so on.
If that's what you are searching, there is like swagger for GraphQL - Swagger-to-GraphQL
Hope that helps.!!
I am using the current version of Spring Data Rest (SDR) and Spring Security (SS) and have following entities:
User: contains a List of teams joined and another for teams managed.
Team: contains a List for members and another for admins.
What I would like to do is customize the information returned for the entities by SDR given permissions of the current User. I'm aware of Projections in SDR but I believe they're not suitable for my current problem since this should be done transparently without having the User specify the projection in the request.
Given the following:
(1) /teams/{team_id}/members
(2) /teams/{team_id}/members/{member_id}
(3) /users/{user_id}/teamsJoined
Here is what I want to implement:
Visiting (1) by a normal member of the team would return different fields than when done by an admin.
Visiting (2) would return additional fields not returned by (1)
Visiting (3):
by the user with {user_id} should return all teams.
by another member should return only the intersection of their teams.
I was thinking about maybe using AOP but I'm not really sure if it would work. What would be the best way to implement this?
I'm not sure exposing various representations of a resource (at the same uri) based on the requesting user follows the REST philosophy. You should use another uri for that.
Maybe you could split the data visible by only some kind of users from the original entity into another 'sub'entity (1-1 relation) and restrict the access to theses related resources endpoints. You can make use of #PreAuthorize and #PostFilter annotations on your repositories methods to restrict access on your resources based on the identified user.
I'm new to Spring JPA/jHipster.
My question is inspired by the jHipster talk by Julien Dubois: https://youtu.be/R3jm2qmqctI?t=43m7s
Assume you have a bank account with operations on it (+100$ for restaurant, -50$ ATM, ...)
Each bank account has an owner of course.
The payload of a POST REST call that creates the operation could look like this:
{"amount":100,"description":"restaurant","bankaccount":{"id":1136}}
The id of the bankaccount is unique and (for the sake of this example) would have been sent to me earlier via another REST call.
Unfortunately, nothing prevents a malicious user to change this value. One could simply guess the id of a bankaccount owned by someone else, and then the operation would be added to that one.
I have not (yet) seen examples that deal with this problem.
Should I explicitly check if the bankaccount is owned by the user?
I imagine that this type of verification may cascade through all your entities, causing a lot of extra calls.
Maybe I'm missing something?
Thanks,
Andy
Yes it's your reponsibility to check in your REST controller or underlying services that an operation is authorized. Spring security offers different mechanisms to do it in particular by using #PreAuthorize and #PostFilter.
It's also a good thing to use DTOs, this way you can better control what fields of your entities are exposed for reading and writing through the API.
We have a few features that follow very similar patterns:
User submits email address
User receives email with secret code
User redeems secret code to perform secure action
For example, our sign-up / registration feature follows this pattern. User submits email address, receives email, then uses secret code to create password & user account. Another example is password reset. User submits email address, receives email, then uses secret code to change password and access user account.
Pattern #1
We could have 1 controller that manages each feature individually. So, for example, a SignUpController that handles all related actions (sending email, redeeming code, and creating password). Then we could have a PasswordResetController that also handles sending the email, redeeming the code, and changing the password.
Pattern #2
An alternative would be to have the actions split across controllers. In this pattern, we would have a SendEmailController that would send emails for both features, a CodeRedemptionController that would handle code redemptions for both features, and a PasswordController that would handle password operations for both features.
Which is a better approach and why? Our main goals are to achieve high code simplicity, clarity / discoverability, and DRYness. I can see advantages and disadvantages with both patterns.
Pattern #1 advantages
All code pertaining to the feature is kept in one place. Passing data from one action to another using TempData dictionary is easier to understand, and the flow of the feature is described by a single controller.
Pattern #1 disadvantages
Dependency injection. Each feature controller would need dependencies injected for email sender, account manager (MembershipProvider interface wrapper), as well as various repositories. When using constructor injection, the constructor would have a lot of arguments.
The advantages and disadvantages of Pattern #2 would be the opposite. We could simplify dependencies for the controllers, but the features would be spread across multiple controllers, blurring the clarity of what features the app as a whole is trying to achieve.
I would use a single account controller to manage all of the related user management functions. This controller would be the user's access point to handle these types of features.
Then I would separate the separate logic you mentioned into different model classes that would be called by that controller as needed. Examples:
/models/EmailManager.cs
/models/PasswordManager.cs
/models/SecretCodeGenerator.cs
/models/AccountManager.cs
This would allow you to have a consolidated url syntax. It would keep you from having many controllers with only 1 method. And it would keep you from having a lot of model type logic in the controllers.
www.mydomain.com/account/signup/
www.mydomain.com/account/confirm/
www.mydomain.com/account/resetpassword/
(with custom routes, you could even remove the /account/ part if you wish)
However, I might be tempted to create a custom controller to handle redeeming of secret codes. (redeemController) This way you could control access to much of the accountController to authorized/existing users only, whereas the redeem controller (depending on your design) may be open to anonymous for new customers.
Finally, having most of the logic in the model classes makes them much more test friendly.
I'm getting some trouble understanding the MVC concepts.
I'm building a User model, you know? Application_Model_Users. They say that the models should only contain the structure... and the business logic should be put in the controller.
So, consider a function called authenticate($user, $password). This function will return true if the username and password entered is valid or false otherwise. Where should I put this function? In the controller Authentication or in the model Users?
Thank you!
Related to the Model, whenever you need to retrieve data(from DB, Web service, filesystem) or save data, you need a model to do the job. In MVC, a model is not understood as a mapped table, maybe more like a mapper. Zend has some info about this at their site, it could help you understanding mvc a bit more.
When it comes to user authentication, you should certainly implement the authenticate function inside the Users model, I would think you will do a database check against a table or similar.
Just in case you are not already using it, Zend comes with a package for auhtentication: Zend_Auth (http://framework.zend.com/manual/en/zend.auth.html) , it could speed up implementing the security at your application.
Although Model operations often include storage operations (DB, servicer, etc), it is not limited to that. Model, as far as I know, should countain Business logic entities, this is, classes that represent your business entities, like User, Person, Customer, etc. Each class should define its own operation methods, in example, a Person model class should allow you to get a person's name, calculate his/her age according to his/her birth date, etc.
Also, there should be specialized classes for Model storage and retrieval. With these classes you could fetch all your Customers, or only one, using certain conditions, etc, or save a modified Customer class instance (in example, a customer changed his/her address or phone number).
This separates the storage/retrieval operations from Business login operations.
So, according to your question, your model could have a class that allows you to find one user by its user name and password. If the user is found, you could return a Model_User class instance (in example). Then, using the standard Zend_Auth class, or extending it to create your own authentication class, you can use some Login form parameters to perform the user authentication.
Follow the Zend Framework quick start guide, there are the basics about MVC in Zend Framework. Also, there you will find some resources about Zend_Db and related classes, to allow DB interaction. There are also Zend_Db_Table, Zend_Db_Table_Rowset and Zend_Db_Table_Row classes, that you could extend to fit your model storage needs.
I have a personal solution where I extend Zend_Db_Table for my (in example) Model_UserTable class, used to store or query my Model_User entities. And my Model_User class extends Zend_Db_Table_Row.