I want to authenticate my rest end points generated by composer rest server using passport-jwt. I have user database in mysql. Now, I want to allow access to only those users who are already registered. How can I achieve this?
Edited answer:There is a tutorial done by someone in the Composer community -> https://www.codementor.io/gangachris125/passport-jwt-authentication-for-hyperledger-composer-rest-server-jqfgkoljn . Also see this comment on retrieving the access_token cookie https://github.com/hyperledger/composer/issues/2038#issuecomment-400696304 . Finally, for an example of an app using the passport-jwt strategy - see resources https://medium.com/front-end-hacking/learn-using-jwt-with-passport-authentication-9761539c4314 and Composer info in comments shown https://github.com/hyperledger/composer/issues/2038 on JWT specifically. You use that jwt token to authenticate against the REST server and receive the accessToken cookie for all future REST server requests.
Related
We developed a web application that uses Angular8 for the front-end and SpringBoot for Service APIs. We secured the SpringBoot application with Basic Authentication. So that when we need to call the API from front-end angular code we need to send the user name and password with the API headers.
So we are keeping the username and password in the environment.js file in the angular project. Those credentials are exposing in client-side code which loads into the browser.
So Anyone please help with where to place these credentials in Angular code?
Storing credentials in code is not recommended
To answer your question, you can store it in localStorage, sessionStorage or you can use HttpInterceptor in which you can automaticaly add headers to your every request. For more information, read Authenticaion using the HttpClient and HttpInterceptors
Recommend Using Token based authenticator - users will provide its credentials and get unique and time limited access token. you can manage token creation, checking validity, expiration.
I am currently using a API to validate Login Credentials.
I have gotten to the point where I am sending username/password correctly.
This API will return a bolean, depending on if those credentials are correct.
Along with the entire user's information, including their address etc.
How can I correctly store this into Laravel Auth, so I can use Auth::user etc in blade?
I do NOT have Database access, only API access to validate user login details.
I cannot create a local - Laravel database, as this application has to be completely API based.
I am using Guzzle to query the API.
You should try using JWT for authentication, implementing your own API Authentication can cause some security issues if not done right.
Also JWT for Laravel already has support for Laravels Authentication system
Is it possible to plug in basic authentication with Passport that involves username and password [would secure using HTTPS later] rather than using OAUTH in Composer-Rest-Server?
Do I need to add a middleware between composer-rest-server and the client that stores usernames and passwords and then routes to appropriate URIs on Composer-Rest-Server or is it just possible using Composer-Rest-Server?
Thanks
Composer REST server supports strategies per http://www.passportjs.org/packages/
Someone has provided an answer here that may help you with a sample COMPOSER_PROVIDERS for passport-local -> How to use passport-local to authenticate in composer rest server
On the Composer docs site, there are only examples of using two strategies presently: Github (OAUTH2) and Google OAUTH2.
I have a Laravel 5.5 Application that's using the session based auth out of the box. On some of these pages I have react components that need to get/post data from/to an API.
What is the best practice for handling this? Do I simply hide the API endpoints behind the auth? This would work but should I be using Laravel Passport for this instead?
I've had a play with Passport and it seems that this would work but I don't need users to be able to create clients and grant 3rd party applications permission etc. There is just the first party react app consuming the data from inside the laravel application (view).
From my initial experimenting with it, it seems I'd need to have the login call made first to receive an access token to then make further calls. As the user will already be authenticated in the session is there an easier way?
I'm not sure if Passport is intended to be used for this purpose or not. I'd rather take the time to get it right now as I'd like to get the foundations right now if the app scales.
You can proxy authentication with Passport. Using the password grant type users would still log in with their username/password, then behind the scenes make an internal request to Passport to obtain an access token.
Restrict what routes are available when registering in a service provider by passing in:
Passport::routes(function ($router) {
$router->forAccessTokens();
$router->forTransientTokens();
});
That limits access to personal tokens and refresh tokens only. A client will be created when you run php artisan passport:install.
Setup a middleware to merge the password grant client id and secret in with the request, then make a call to the authorization endpoint. Then it's just a matter of returning the encrypted token and observing the Authorization header for requests to your api.
What is the intended purpose of the Loopback Access Token on the Fabric Composer REST server Explorer? Can this be used to identify the participant invoking a transaction and if so, how?
The LoopBack access token field has been removed from the Composer REST server as a result of recent restyling work, but the access token is still important.
You can enable REST API authentication for the Composer REST server by following this documentation:
https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html
When you configure the Composer REST server this way, each authenticated user gets their own private wallet on the Composer REST server to store Blockchain identities (enrolment certificates). The Composer REST server uses a Blockchain identity from the authenticated users private wallet to submit all REST API calls to the Blockchain.
This means that we can use the authenticated users Blockchain identity to identify the participant, and correctly apply ACL rules.
When you authenticate to the Composer REST server, LoopBack generates an access token that you can use to interact with the REST API from any HTTP client without having to login again. This is useful as it is difficult to automate the OAuth web browser flow from within a computer program.
We do not show the access token on the Composer REST server UI, but you can access it by looking at the cookies that get stored in your web browser after authenticating to the Composer REST server. You can then use this from your HTTP client by appending the query string parameter access_token=ACCESS_TOKEN to the URL, or sending in by HTTP header access_token: ACCESS_TOKEN.
We need more documentation on this though!