I'm not looking for opinion here, I realize how easily this question could get off topic, so let me explain.
I'm trying to figure out why we would use Basic HTTP Authentication at all if the username and password are simply passed as base64 encoded parameters from an AJAX request.
I understand the difference between Authentication and Authorization, but I'm not sure I see why we would even have the Authentication step in place for HTTP if it would take 10 seconds for a user to find it and then simply replicate the parameters in every API request from then on?
I've not found any good answers to this question in my research. I only find how to use Basic authentication.
Related
I'm working with Spring Boot and don't know how to design register confirmation process.
Is UUID the best choice to generate random token? I've seen that people write "no, it's not" but they don't explain why and what is better
A lot of people suggest also to avoid sending token via GET param because there is a risk that someone can steal it. They encourage to send POST requests with token in request body, but how to send POST request from email? Using ? But then my server should be able to process this request, but this type of request fits to REST application? Or meybe there is possibility to send POST request with json body from email?
I can't decide how to solve these problems.
UUID seems to be a perfectly fine solution for tokens. I don't see a problem with it.
Regarding question 2: If you have tokens, that would be used multiple times, then indeed using that token in GET requests is a really bad idea. However, for a registration confirmation, you usually only have tokens that are valid for one use. So as soon as someone used a token, you should mark this token as invalid. In that case, using it in a GET request doesn't impose any security risks. Also, the token itself should just be used to mark the user account, but it shouldn't allow automatic login of the user, once he clicked on the link. Then you should be fine.
I'm new to web development and trying to get my feet wet by building a web app that uses Google APIs. I was reading Google's documentation on using OAuth 2.0, but the redirect URL bit has me a bit confused. According to the example here a successful authentication will send a response to
{redirect_url}?state=/profile&code={auth_code}
The response URL doesn't specify a user and neither does the response load as far as I know. How does the redirect URL endpoint know which user is tied to the authorization code it just received?
There was a very similar question here, but the answers focus on passing query parameters to the redirect URL. I'm not trying to do that. I want to understand how the redirect endpoint associates an OAuth response to a particular user. Note that I'm pretty new to all of this, so my confusion might stem from not understanding how HTTPS calls work or something similar.
A notable detail is when your redirect URL receives a response with code, it is the Google authorization server that redirect user's browser to your server. So it's user's browser that send a request to your server with code.
In other word, actually, you question is: "When your server receives many requests from many users, how do you know which user a request comes from"
I think you need to learn something about session or cookie which allows
HTTP to become stateful.
This document refers to an auth token parameter being passed to the launched activity
https://github.com/RusticiSoftware/launch/blob/master/lms_lrs.md
What is this parameter, and how is it used/passed back to the LRS with statements to authorise them? The API spec only refers to OAuth which uses different parameters, and http basic auth which is username/password.
https://github.com/adlnet/xAPI-Spec/blob/master/xAPI.md#security
The "auth" query string value is intended for HTTP basic auth, it's to be passed after "Basic " in the HTTP Authorization header. That's not clear at all from the document you linked, that is how current adopters have implemented it. Since Basic Auth expects a base64 encoded username/password there, in practice this means the token sent by the LMS has to be a base64 encoded username/password, but the client shouldn't have to inspect it.
Some history: I originally created this document as a proposal for how an LRS could be integrated with an LRS, and expected some rounds of feedback and improvement during the development of the xAPI spec. That hasn't happened, but in the meantime there has been demand for a way to launch xAPI content and this mechanism has been widely adopted. CMI-5 is going to include a launch mechanism, and it's using this mechanism as a starting point: https://github.com/AICC/CMI-5_Spec_Current/blob/master/cmi5_runtime.md#80-content-launch-mechanisms. CMI-5 is still subject to change, so for now folks are sticking with this launch mechanism, but not particularly interested in refining it because of the expectation that it will be replaced.
That said, the omission you brought up is severe and it might be time to add some clarifications based on how the launch mechanism is being used in the wild.
Basic auth token follows standard basic auth formatting of username:password such as:
someusername:somepassword
Then base 64 encoded:
c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA==
Prepend the word Basic and a space:
Basic c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA==
Finally URL encoded:
auth=Basic%20c29tZXVzZXJuYW1lOnNvbWVwYXNzd29yZA%3D%3D
For example, with a SCORM cloud account you can get these from LRS section under Activity Providers. Where Key==Username and Secret==Password.
I am designing a web api. I need to let the user authenticate themselves. I am a little hesistant to let the user pass in their username/password in cleartext.. something like: api.mysite.com/auth.php?user=x&pass=y
Another option i read about was Base64 encoding the username/password and then sending a HTTP request. So does that mean that on the server side;I would _GET['user'] and _GET['password'] and then somehow decode them?
Is that what twitter does: http://apiwiki.twitter.com/REST+API+Documentation#Authentication ?
Base64 is no protection at all. Use SSL for real security.
As mentioned by truppo, first use SSL.
What many web services do is have an "authenticate" service that returns a token that is then used later, and can be used in plaintext, since it's only valid for a limited amount of time. When it expires, the client simply does another authenticate.
The key benefit of this is that it reduces the number of SSL requests, which lightens the load on the server.
Just this week the IETF published a new draft discussing security properties of the various authentication mechanisms in HTTP. You should find helpful information there.
Personally I'd recommend at least to read about digest authentication and analyze if that's suitable for you.
Using SSL might also be an option. However, it also addresses additional issues at the expense of performance, cachability and others. It keeps the payload data confidential. If this is a requirement, then it's your way to go.
If this is a webservice, you'd better use more secure form of authentication. Look for example, at the LiveJournal protocol: Challenge-Response.
Please do not use regular usename/password authentication for the api. People really shouldn't be forced to put credentials from foreign services in a mashup service.
Please consider using oauth http://oauth.net/ or at least some challenge-response based system, like Eugene suggested.
One easy way would be to let the guest-service generate a token which is connected to his app and a user. If you put in some work you could even make the tokencreation secure to have only allowed foreign services with some private/public-key mechanisms.
The user has to authorize this token in your app before the guest service can use it to get authenticated.
I've found this article eye-opening.
In short: use a pair of API keys per user. One is for client authentication, one for parameters signing.
Disclaimer: I'm new to the REST school of thought, and I'm trying to wrap my mind around it.
So, I'm reading this page, Common REST Mistakes, and I've found I'm completely baffled by the section on sessions being irrelevant. This is what the page says:
There should be no need for a client
to "login" or "start a connection."
HTTP authentication is done
automatically on every message. Client
applications are consumers of
resources, not services. Therefore
there is nothing to log in to! Let's
say that you are booking a flight on a
REST web service. You don't create a
new "session" connection to the
service. Rather you ask the "itinerary
creator object" to create you a new
itinerary. You can start filling in
the blanks but then get some totally
different component elsewhere on the
web to fill in some other blanks.
There is no session so there is no
problem of migrating session state
between clients. There is also no
issue of "session affinity" in the
server (though there are still load
balancing issues to continue).
Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle.
Would it be bad to have a REST service, say, /session, that accepts a GET request, where you'd pass in a username/password as part of the request, and returns a session token if the authentication was successful, that could be then passed along with subsequent requests? Does that make sense from a REST point of view, or is that missing the point?
To be RESTful, each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP.
Okay, I get that HTTP authentication
is done automatically on every message
- but how?
Yes, the username and password is sent with every request. The common methods to do so are basic access authentication and digest access authentication. And yes, an eavesdropper can capture the user's credentials. One would thus encrypt all data sent and received using Transport Layer Security (TLS).
Would it be bad to have a REST
service, say, /session, that accepts a
GET request, where you'd pass in a
username/password as part of the
request, and returns a session token
if the authentication was successful,
that could be then passed along with
subsequent requests? Does that make
sense from a REST point of view, or is
that missing the point?
This would not be RESTful since it carries state but it is however quite common since it's a convenience for users; a user does not have to login each time.
What you describe in a "session token" is commonly referred to as a login cookie. For instance, if you try to login to your Yahoo! account there's a checkbox that says "keep me logged in for 2 weeks". This is essentially saying (in your words) "keep my session token alive for 2 weeks if I login successfully." Web browsers will send such login cookies (and possibly others) with each HTTP request you ask it to make for you.
It is not uncommon for a REST service to require authentication for every HTTP request. For example, Amazon S3 requires that every request have a signature that is derived from the user credentials, the exact request to perform, and the current time. This signature is easy to calculate on the client side, can be quickly verified by the server, and is of limited use to an attacker who intercepts it (since it is based on the current time).
Many people don't understand REST principales very clearly, using a session token doesn't mean always you're stateful, the reason to send username/password with each request is only for authentication and the same for sending a token (generated by login process) just to decide if the client has permission to request data or not, you only violate REST convetions when you use weither username/password or session tokens to decide what data to show !
instead you have to use them only for athentication (to show data or not to show data)
in your case i say YES this is RESTy, but try avoiding using native php sessions in your REST API and start generating your own hashed tokens that expire in determined periode of time!
No, it doesn't miss the point. Google's ClientLogin works in exactly this way with the notable exception that the client is instructed to go to the "/session" using a HTTP 401 response. But this doesn't create a session, it only creates a way for clients to (temporarily) authenticate themselves without passing the credentials in the clear, and for the server to control the validity of these temporary credentials as it sees fit.
Okay, I get that HTTP authentication
is done automatically on every message
- but how?
"Authorization:" HTTP header send by client. Either basic (plain text) or digest.
Would it be bad to have a REST
service, say, /session, that accepts a
GET request, where you'd pass in a
username/password as part of the
request, and returns a session token
if the authentication was successful,
that could be then passed along with
subsequent requests? Does that make
sense from a REST point of view, or is
that missing the point?
The whole idea of session is to make stateful applications using stateless protocol (HTTP) and dumb client (web browser), by maintaining the state on server's side. One of the REST principles is "Every resource is uniquely addressable using a universal syntax for use in hypermedia links". Session variables are something that cannot be accessed via URI. Truly RESTful application would maintain state on client's side, sending all the necessary variables over by HTTP, preferably in the URI.
Example: search with pagination. You'd have URL in form
http://server/search/urlencoded-search-terms/page_num
It's has a lot in common with bookmarkable URLs
I think your suggestion is OK, if you want to control the client session life time. I think that RESTful architecture encourages you to develop stateless applications. As #2pence wrote "each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP" .
However, not always that is the case, sometimes the application needs to tell when client logs-in or logs-out and to maintain resources such as locks or licenses based on this information. See my follow up question for an example of such case.