Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm looking for help in choosing the right, most modern and safest way to authenticate. I'm using Spring as backend along with Angular on frontend. I'll add that I want to use OAuth2. I've really searched quite a few sites and haven't found a straight answer. I'm really confused...
I started with this implementation, but than I stopped after reading this recommendations. So far I know that I should use Authorization Code Grant with PKCE.
How is it done in applications that are already in production?
The most sensible (as I think) option so far is implementing auth with Keycloak. Is embedded version reliable?
If you want to secure your API with OAuth there are many products out there which you can use (both open-source and paid solutions, if you search for "identity server" you should be able to find a few solutions). Keycloak is a viable option, but there are others.
When it comes to choosing a flow, I would also go with the Authorization Code Grant with PKCE. This currently is the recommended way, especially if you'll be performing OAuth flows directly from your Angular app.
That's another decision you would have to make - whether you want your frontend client contact the Authorization Server directly (then you have to handle tokens in the frontend app), or you want to call your backend and have the backend talk to the Authorization Server (then you would probably have a session cookie, and associate the session with any access tokens).
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 months ago.
Improve this question
So basically I understand REST API is basically stateless and we should not use session based authentication of API Routes. However, let's say if my application already has a session based authentication because it is a SPA. So I have a few questions.
How do we actually protect these api routes without using session, so that we can actually test these api routes on Postman etc ?
How can we achieve this without effecting the existing authentication system ?
Do we need to use Passport or Sanctum to achieve this?
Thank you.
If your SPA and API are on the same domain, you likely want Sanctum which uses sessions via cookies or tokens to manage authentication. Based on your question it seems like Sanctum would be the best fit for integrating with your existing authentication workflow.
If your SPA is not on the same domain as your API you’ll want to use either Fortify or Passport.
I would avoid Passport unless you require an OAuth workflow.
Either you can create a your custom authentication using JWT token in laravel to authenticate the API. For that you can use tymondesigns/jwt-auth a third-party jwt-auth library.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am trying to venture into the full-stack development realm during some of my free time, and I just have a few general questions about my current understanding of OAuth2. I am very green when it comes to this stuff, but I've watched some Udemy videos to gain a basic understanding.
Anyway... this project that I'm working on, I'm planning on having a custom authorization server, a resource server, and a single client (which will likely be a SPA). This authorization server will only allow the authorization code (probably with the PKCE extension) grant type. Which leads me to my first general question...
Intuitively, I assumed that the password grant type would be sufficient. As I've done more and more reading, it looks like this grant flow is not the way to go. As I understand it, using this flow would require the client to provide some form so that the user may login. Doing so gives the client access to user credentials, which very much defeats one of the purposes of OAuth2. I'm not sure this is an issue with what I'm developing, however, because I am creating the authorization server. I know by using this grant flow, I am not validating the client. Can someone explain how this might be an issue? Is there anything else I'm missing here? Everything I've read has deterred me from using this grant flow, which is mostly why I ended up deciding on the authorization code (w/ PKCE) flow.
So... assuming I go with this flow, my client should provide a login button. Pressing this login button will re-direct the client to a web page where the resource owner can authorize the client and provide user credentials. My authorization server will then validate these user credentials. I plan on storing user credentials in a database on the VM running the auth server. I don't plan on allowing users to register an account. Instead, I'm just going to have a static list of account credentials in this database for people on my team. So I guess I'm just going to insert these accounts when the database is created? If so, how do I allow these users to change their passwords? I guess I'm thinking that initially these accounts will be assigned an e-mail, username, and random password that I can communicate with them. However, I'd like the user an option to change this random password to something more familiar. I don't currently know how to do something like this with the OAuth2 implementation. Do I just provide a way in the client to change the password when the user is logged in? If so, doesn't this somewhat defeat the purpose of using OAuth2 as now my client would have knowledge of the user credentials? If I were to do this, however, would this just be implemented as a POST request to a REST API at the auth server for updating the password?
I would start by using a free cloud provider as the Authorization Server. Have a look at the following tutorial of mine, which uses Authorization Code Flow + PKCE:
Blog Post
Easy to run SPA and API Code Sample
This sample uses AWS Cognito which is a fast option for getting started. It will enable you to create users - they will then be prompted to change the password on the first login.
The important points are these:
Write simple standards based code in your apps and spend time learning the recommended flows and design ppatterns
Once code is written you should be able to switch to a different Authorization Server later, if needed
Avoid building your own Authorization Server, and use one that has been provided by specialists
You should only need Spring for the resource server (my API above uses Node.js). If you want an easy to follow Spring resource server sample maybe see this one.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I need create REST API for android and ios apps. It will be small social network. Which way is better to use? Client Grant Tokens or Personal Access Tokens. Help me please!
use Laravel Sanctum https://laravel.com/docs/7.x/sanctum
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.
Laravel Passport is also useful.
Laravel already makes it easy to perform authentication via traditional login forms, but what about APIs? APIs typically use tokens to authenticate users and do not maintain session state between requests. Laravel makes API authentication a breeze using Laravel Passport, which provides a full OAuth2 server implementation for your Laravel application in a matter of minutes.
https://laravel.com/docs/7.x/passport
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I am writing a Springboot application that needs to authenticate users to an OAuth2 client provided by another group. The OAuth2 client provides two authentication schemes: form and sso. The application I am building needs to use the sso scheme because the application has no option to redirect the user to a login form.
Spring security contains an enum that provides the security.oauth2.client.client-authentication-scheme options that can be used, sso is not one provided so I need to be able to somehow extend this or provide a custom option.
Ultimately the application needs to generate a GET request that will take this form: https://iapi.mycompany.com/authentication-service/v2/authorize?response_type=code&client_id=myClientIdHere&redirect_uri=https:/myclient.mycompany.com/redirect&state=someStateString&login_method=sso
As far as I can tell it's really only the login_method=sso part which is the custom part that needs producing. Any ideas on how I can convince Spring security to do this for me?
Turns out the solution is to comment out the security.oauth2.client.client-authentication-scheme property in application.properties and to append ?login-method=sso to the security.oauth2.client.user-authorization-uri property.
Final property looks like this:
security.oauth2.client.user-authorization-uri=https://iapi.mycompany.com/authentication-service/v2/authorize?login_method=sso
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have a web application (JSP) and i need to limit the access, so only the logged in users see the application. I looked it and i found many diferrent approaches. Some say to use cookies, sessions or frameworks such as Spring Security. What should i use? So far i have a medium experience in java and jsp programming, so what do you recommend me to to do?thank you a lot!
Instead of preparing home made version of Spring Security I propose to use it directly. Consider following advantages:
In the future if you need some new security features then you can just turn them on instead of developing them from zero (for example LDAP authentication, SSO, ...)
There are chances that new developer is already familiar with your security framework (on the other side it is sure that it will be not familiar with your home made labrary)
Most of them have good documentation so learning cuve is small when we talk about basic URL authorization (do you have enough time to prepare the same level of documentation for your home made library?).
They have built-in support against attacks like session fixation, etc.
They have multiple extension points, so you will be not limited by framework (you will be able to add / modify necessary functionality).
They have moduled structure, you do not need to load all modules / know about them. Use only what you need.
It may be useful for you to check Apache Shiro and Spring Security.
In a case of Spring Security if you start reading official documentation from here then you can prepare all conf for basic URL authorization (with hard coded users in the conf) in less than 30 minutes. Then you need to include corresponding jars in your classpath (for Spring and Spring Security) and that's all. Turn on debug logging for org.springframework.security to see what's going on.
Consider the use of a servlet filter. Store the logged-in user in the session and configure a filter to check the user is logged when he/she attempts to access the secure directories of your site (via url-pattern).
Basic info here http://www.tutorialspoint.com/jsp/jsp_writing_filters.htm.
But here's something more specific to get you started.
Create a class that implements javax.servlet.Filter, override the doFilter method and check that the user is logged in and configure the urlPatterns using annotations.
The annotation on the filter would be something like this:
#WebFilter(filterName="LoggingFilter", urlPatterns={"/secured/*"})
the directory that you wish to protect is called 'secured'.
In the class override the doFilter() method and check that the user is logged in:
User user = session.getAttribute("user");
if (user != null) {
chain.doFilter(request, response); // User is logged in so forward response.
} else {
response.sendRedirect("login"); // User not logged in so redirect to login page.
}
This is an effective way to restrict a logged in user to specified parts of the site. This simple example can be extended to restrict access to different parts of the site based on user type or some other criteria.