Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Previously I was using md5 for decryption but then later on I switched on to BCrypt which is a better alternative.
So Let's say I developed an API and in that there is a service for User Log In. I try to call this service using postman and by passing the required parameters i.e username and password.
Now, I don't know if its possible or not but what If some hacker intercepts my requests? If he can intercept it then that means he can see the plain password which I've sent in the request param, right?
What's the best thing to do here if it's possible? Do I have to pass in password encrypted in Bcrypt in the API?
P.s. I use JWT based authentication for my API's.
Use HTTPS instead of HTTP for your API requests. Then it is difficult or impossible for man in the middle attacks.
Always use post method instead of get or any other method to send confidential data
"Implementing the use of TLS and HTTPS would provide effective encryption and authentication of transmitted data to protect the website from Man-in-the-Middle attacks. This effectively obstructs the decryption of confidential data like authentication keys" << Read More.....
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 10 months ago.
This post was edited and submitted for review 10 months ago and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
Currently, we have a spring boot REST application connecting to a mysql database in which we have a table named "User" with several fields. Among them, the field "email" and the field "password" stored as sha256(email + plain_password).
We also have an endpoint named "login" that receives 2 strings: email & password. If a user with such an email exists, we proceed to calculate sha256(email + plain_password) and then compare against the one we have in the database. If the strings are equal, the identity is verified and a signed "token" (with expire time and more user related data) is issued and returned to the client.
Now, every time we need to "secure" any endpoint, we ask for a "token" in the request header of the http call. An Interceptor reads every header for every call and in case one of those headers is the issued "token", we verify the signature, the expiration time and the name for whom it was issued.
The "secured" endpoint also has a custom annotation that indicates which role is allowed to invoke it. So if the interceptor verifies the token and the token belongs to a user with the role annotated, then we proceed with the normal flow of the endpoint. Otherwise, we throw an UnauthorizedException.
Question: Does Spring Security provides "out of the box" a token generation / verification mechanism like the one described above?
You have implemented custom security model for authentication and authorization. If someone else is to look at your code, they would be able to eventually figure it out but they would have many questions. Spring security based implementation is easier to understand and extend. Spring security also provides support for testing.
If you were to switch to an oauth based auth model, you would have to do it yourself. Spring security would make this transition mush faster.
I am building a service in go that acts as a public api endpoint. Some of the calls that I make require a user to be authenticated. I am currently working with keycloak as my auth provider, and following the example in this question as to how to communicate between my endpoint and keycloak (though I think this question would apply to any oidc provider). The answer to that question uses "somestate" as the state, and from the reading I have done, it is undesirable to use a static state, or a plain text state. Given that the service may be scaled eventually, I would also prefer to not require storage of some form, either in memory or database.
How do I use the request that I originally received to generate a unique state that I can then decode after the redirect, and validate in a possibly different service?
I assume that I would encrypt something and put that in the state, but I am not sure what to encrypt, and not sure how to encrypt it properly.
I'm not looking for opinion here, I realize how easily this question could get off topic, so let me explain.
I'm trying to figure out why we would use Basic HTTP Authentication at all if the username and password are simply passed as base64 encoded parameters from an AJAX request.
I understand the difference between Authentication and Authorization, but I'm not sure I see why we would even have the Authentication step in place for HTTP if it would take 10 seconds for a user to find it and then simply replicate the parameters in every API request from then on?
I've not found any good answers to this question in my research. I only find how to use Basic authentication.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 4 years ago.
Improve this question
I'm putting in place a Spring web server and I want my API to be secured with Oauth2 Password Flow. Everything seems to be working fine for the AuthorizationServer part (No problem authenticating and getting an access token) but on the ResourceServer part I keep getting the following error :
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
Am I right in assuming that since any Oauth2 configuration is by nature split between the authorization server which grants the access token and the resource server which will check for this token validity, any access token granted by the AuthorizationServer to a client will be seen as some sort of pre-authentication by the Resource Server, and thus making it look for a provider able to support this kind of Authentication ?
If it is the case, what would be the best way to provide one ? I'm struggling to find any concrete example.
Or is my assumption wrong and the problem is coming from my setup being incorrect somewhere else ? Maybe I missed the part where I should make such a Provider available.
Thanks in advance !
I ended up solved my problem by starting over from a fresh configuration. It works well now, no more PreAuthentication related error. I am not sure exactly what I did wrong the first time but my configuration is simpler now than it was before, so I guess I disabled something I shouldn't have by trying too hard to give Spring something I thought was missing.
Anyway thanks for trying to help me #dur.
This question already has answers here:
How to identify a Google OAuth2 user?
(6 answers)
Closed 9 years ago.
I use Google oAuth to get user info via YoutubeAPI, but I don't know what I need to do after get access_token to retrieve userID, anybody please help me.
See Google's OAuth2 documentation for how to get information about the logged in user.
It's basically just a GET call to https://www.googleapis.com/oauth2/v1/userinfo with a correct access token. In the response the user id is included.
Note that you also need to include the correct scope in your very first redirect to Google:
https://www.googleapis.com/auth/userinfo.profile
If you're asking about how to get either the YouTube username or the YouTube user ID for the currently authenticated user, it can be found in the response to a properly authenticated request to
http://gdata.youtube.com/feeds/api/users/default?v=2
You can do one of the following:
perform a GET on www.googleapis.com/oauth2/v1/userinfo
decode the id_token that you get in the initial request, using a JWT library
I'd recommend the latter as it is more robust and doesn't require an extra call.
See this thread for more info: How to identify a Google OAuth2 user?