I'm working on Hyper Ledger Composer and integrating the REST API in a nodejs web app "using js client side to call the API "
and I'm wondering how can I keep some interface private and prevent from show and post to it .
Should I simply call the api server side before or is there an elegant way ?
To protect access to the REST APIS, you can implement an authentication strategy - see here https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html and https://hyperledger.github.io/composer/integrating/enabling-multiuser.html (the latter requires that authentication is enabled).
A tutorial on using one such strategy - eg using Google OAUTH2 as an auth provider - is shown here -> https://hyperledger.github.io/composer/next/tutorials/google_oauth2_rest
There is another way to develop your own rest api using NodeJs sdk.
You can connect to the network using Cards and perform any action using BusinessNetworkConnection class and factory object.
Read [https://hyperledger.github.io/composer/v0.16/applications/node][1]
Related
I have a single ASP.NET MVC app - website and API controllers. I'd like to use Azure API Management to manage these APIs but retain the same URL so that it is seamless for our consumers. We have a custom domain setup on the app service for this web app that is currently used to serve up both the site and APIs(e.g. Website: xyz.com, APIs: xyz.com/api1, xyz.com/api2, etc.). Also we use AAD for auth. and have the redirect URI setup to the custom domain(xyz.com). Everything works great at present.
The issue arises after we configure API Management to expose our APIs and potentially use it as a passthrough. In order to ensure that the URLs remain the same after API Management is introduced we set the custom domain to be on the API Management instance itself and removed it from the app. service. This is how our current setup looks -->
User hits xyz.com and the request proceeds as follows -> Traffic Manager -> APIM(xyz.com) -> App Service(xxx.azurewebsites.net)
After that last point above, AAD auth. should kick in and once it has the access token after successful auth. it should redirect the user and the page should load. But it doesn't. Instead we get a blank page and if we refresh it, then and only then does it proceed to auth. and load the page.
We have tried setting our redirect URI to both the custom domain(xyz.com) as well as the base app service name that Azure generated(xxx.azurewebsites.net).
Directly hitting the API urls specifically(e.g. xyz.com/api1) works fine. It goes through APIM and responds as expected. The only problem is that the website doesn't load as outlined above.
The moment we take APIM out of the equation, and set the custom domain back on the app service again, everything works as expected.
I'm trying to figure out if we've misconfigured our assets for this scenario somehow or if APIM doesn't support pass through for the website in this manner. Any thoughts/suggestions here would be much appreciated!
Wow, that was a lot of text.
Ok, let's see:
Visitors -> Traffic manager -> APIM -> backend (your website) - ok got it.
this is like a common way of using APIM, and it should work. However, maybe your policies are not set up correctly?
Have you built your product/API/Operations? Do you see requests coming from APIM hitting your site? What responses are you getting?
Now, of course, you will need to define and set up APIM (products, APIs, and every operation) to pass it throw to your backend. This means if you (as a visitor) need to list all products, you would need to go through the APIM operation (sed GetProducts ). Your request will be passed through the Inbound policy(adjust and build the request if needed), pass it to the backend( to your website with custom APIs), and the response will be sent back from the backend back to the visitor.
Now to this: to protect your Web API Backend in APIM, you could use OAuth 2.0 authorization with Azure AD:
big picture overview:
Register an application (for your backend) in Azure AD to represent the API
Register another Application (the client) in Azure AD to represent a client app that will call your API
And I guess this is the one for you grant permissions to allow the client app to call the backend app
And, of course, add the validate-jwt policy to validate the OAuth token for every incoming request
Read om on this here https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I'm trying to figure out which is the ouath2 scenario of my application and how to call Graph APIs in the behalf of a user with SSO.
My app is composed like this:
angular js (anonimous) -> .NET REST Web APIs (Kerberos)
so I have an anonimous client that calls Web APIs using Kerberos as authentication,
and what I need to do is to call Azure to get a oauth2 token from inside those Web APIs.
the idea is to use the context given by Kerberos to impersonate the user and use the
var auth = app.AcquireTokenByIntegratedWindowsAuth(scopes).ExecuteAsync()
method of the MSAL Library.
Is this the correct approach? Or should I change the flow?
I was also reading that AcquireTokenByIntegratedWindowsAuth would deadlock if not called in the UI Thread, being this a simple Web API project, could this happens in anyway?
I was able to access the API by generating API key and using a Google web client. Now, I like to access the API using a simple HTTP client like curl without using any client libraries supplied by Google, I know this should be theoretically possible since those libraries have to use HTTP at their core. Has anyone done it? if so can someone point me in the right direction?
This is possible! Some applications use their own backend services to make calls on Google API (without Client Lib then).
You need to get some things, like on client calls -> clientID, authorization etc...
Get more informations about CURL on Google here : https://developers.google.com/gdata/articles/using_cURL
Concerning the OAuth 2.0 with a backend service : https://developers.google.com/api-client-library/php/auth/web-app
OAuth2 or Single Sign On will allow you to access to Calendar.
I have a asp.net web api, that's been consumed by a ionic app.
This web api have some routes that need authorization and others that not.
is there anyway to configure the web api just to be consumed by the ionic app?
Any help would be appreciated.
Thanks
This spreads in a wide scope. However irrespective of the back end API (Asp.net), you are asking how to authenticate an ionic app with back end API.
Basically u have main 3 options
1 - Using an existing Authentication implementation like OAuth2
basically you have to implement an Oauth2 server from your back end and have an ionic client to communicate with it
You will find some server libraries for .net in the OAuth2 web site
For client , you can use ng-cordova-oauth
2 - Let the Authentication handled by a 3rd party provider like (google)
What you can basically do it, let user to login through Ex: there google account,
send the api token to your back end api (in the first request)
Let the back end api validate the key with same provider
3 - Roll out your own authentication service
DONT :),
Try to implement a simple authentication service. But not the best way to go
HTH
I have a Webapp that consists of a REST API, and then another app that represents a frontend of this API. Both of this apps are developed using Spring.
Currently my REST api is not secured and data can be accessed directly by calling the REST endpoint without additional security info.
My frontend does have a login form (I'm using Spring Security for that), but does not have access to a database (the only access is through the REST endpoint). So the login process is done through an extension of the AuthenticationProvider that calls the REST api with the user and password and then responds with the authentication result. No authentication/authorization is kept on the REST side since to my knowledge this protocol should be stateless.
The problem is I need to incorporate ACL into my app, so that a user can only see those resources he's authorized to see (i.e. those he created). But given that my authentication process takes place on the frontend layer (which is where I keep a session attribute with the user info), I have two main problems:
How can I secure my REST channel?
How can I know which user is making the request on every communication, without explicitly passing the userdetails in each API request? is this even possible?
Doing it stateless and making two separate web application usually is overkill.
What I usually end up doing is.
Make my RestAPI stateful, because usually scaling is not an issue and simple form authentication will suffice.
Combine a Rest API/HTML Client in one Webapplication. If you want to keep it modular, you could create a Rest API module and integrate it as a JAR file in the lib folder of your web app.
Here is also some thread which goes through different alternatives for a rest API.
How to do authentication with a REST API right? (Browser + Native clients)