Identity server communication with DB - Security concerns - access-token

I need quick help regarding Identity server.
There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?
Thanks

If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.
Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.
FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.

Related

How to block Google Firestore access from the Google Firestore api

I am working with Google Firestore in native mode and CRUD'ing data within it using the "cloud.google.com/go/firestore" api in Go. Access to the data is wide open as long as you know the project id and using the Firestore API on a server. I don't want to try the rules until I figure out how to secure the data from server attacks that. Again, all the API requires is the project id to access the data so I need to lock that down firstly before I move any further. Rules are only for mobile/web clients from what I read and Server side clients completely bypass the rules. Please help. I do not want to use the Firebase API because attackers can still use the Firestore api to access the data.
It's unclear from the limited information in your question but, your Firestore database is not open to anyone with the Project ID.
The service is only accessible to any thing (human|machine) that has valid credentials. Either humans with e.g. Gmail accounts or Service Account key holders.
In either case, only identities that you've explicitly added to the project will be able to access its resources and then only those with the appropriate IAM roles|permissions.
Google provides an elegant facility called Application Default Credentials (ADCs) that simplifies authenticating clients.
I suspect that your code is using ADCs to authenticate you to the project|service.
Access to the data is wide open as long as you know the project id and using the Firestore API on a server.
If that is a concern, consider disallowing all access in the Firebase security rules for your Firestore database.
Also have a look at my answer here to understand why sharing your project ID is not a security concern, and in fact is necessary if you want to allow direct access from client-side devices: Is it safe to expose Firebase apiKey to the public?. If you don't want to allow direct client-side access, closing down the security rules (as they are by default, unless you choose test mode when creating the database) is the way to go.

One database per API or shared database for multiple APIs in Microservice

I started reading microservices architecture and got confused with one below point.
Each service should have a separate database.
Does each service mean a single web(rest) api having its own database?
For example if I take motor insurance claim operation as a business scenario where I modelled business domain services in 3 part Insurance claim services , partner (automobile service providers) services and customer services.
Insurance claim settlement operation in claim api will require other information like incident , survey done by an inspector, policy detail , documents etc.
Now I can create 5 web(rest) api in Insurance claim services and will store its data in common db and other services like partner and customer service will have their own web apis and db
What is correct ?
All web api (claimAPI, PolicyAPI, IncidentAPI, SurveyAPI and DocumentAPI) in claim insurance services should have their own db or they can keep data in single data base ?
Thanks.
To follow microservice best practice, it is correct that they should each have their own database and be exposed solely by APIs. This is because every service in your architecture should be independent and de-coupled from other services. If 2+ services share a database, then there may arise problems in operation or upgrade.
One big issue with a shared database is each service would need to trust that another service doesn't modify it's information. But since they all have access to the same database, one of the others could in fact modify the underlying data and make things unstable or insecure.
Further, with 2+ services relying on a shared database, then you're forced to use the exact same database/version with all. You lose the freedom to independently use MySQL for one and MongoDB for another. Even if the same tool is used for all, when you do maintenance or migration on one you're forced to do it for the rest. All this adds up to some coupled services that make them harder to maintain and scale.
you can have common database for all microservices, it is one of the microservices patterns:
https://microservices.io/patterns/data/shared-database.html
https://docs.aws.amazon.com/prescriptive-guidance/latest/modernization-data-persistence/shared-database.html
check those links to see advantages and disadvantages of this approach.

How to Send a Rest API to Autonomous Database of Oracle?

I'm struggling to send a Rest API request to Oracle Database (using Postman).
first issue: there are three types of Autonomous Databases (ATP, ADW, AJS) that will help me. I already created all 3 types in my oracle cloud server.
what type of authentication do I need to use? It seems "Basic Auth" with user: ADMIN and password that I defined?
What API endpoints are available to use? it is a bit confusing, in the attached screenshot I reach different articles that I'm not sure which one to use!
ORDS and SODA for REST (3) supports many different authentication mechanisms. JSON document store REST services (you choose ADJ) are intended to be used in server-to-server interactions. Therefore, two-legged OAuth (the client-credentials flow) is the recommended authentication mechanism to use with the JSON document store REST services. However, other mechanisms such as HTTP basic authentication, are also supported.
The default when installing on Autonomous is HTTP basic authentication. Most of examples uses database schema ADMIN, which is REST-enabled by default.
A good first start point is :
If you are working with ADJ, https://docs.oracle.com/en/cloud/paas/autonomous-json-database/ajdug/create-applications-ords-autonomous-database.html
If you are working with other ADB flavors : https://docs.oracle.com/en/cloud/paas/autonomous-database/adbsa/ords-autonomous-database.html#GUID-E2E921FF-2D80-4E32-9660-28506D10BADB
Those documentations provide links to the documentation referred in your image.
e.g to see the SODA collections availables, the endpoint is https://your-ords-uri/ords/admin/soda/latest/.
To find the URI (Service Console / Development / RESTful Services and SODA) :
As I said, the default is basic Auth. You can also disable security and allow anonymous access for Development and Testing
For relational tables, there is additional privileges to be managed using ORDS PLSQL package before using Postman. Follow the documentation
Hope that this can help

Authentication and authorization with the seperate database multi-tenat approach

starting a proof of concept for this model it appears not to be possible to configure the membership provider per request to the respective clients database. It appears that the web application instantiates the membership providers on application start and doesn't allow modification to this during subsequent requests.
I have tried using reflection and modifying the connection string in the Application_BeginRequest (in the global.aspx) but it appears that the membership provider is designed and implemented to only initialise once per application rather than per request.
This implies for the separate database approach, the default asp.net membership provider wont work with the single application/multiple database (multitenant seperate database) model.
what authentication/authorization model do people use in this architecture? do they use a custom implementation of the Microsoft membership providers or do they use a different package or library?
Cheers
Tim
In the case of a multi-tenant application development scenario, the best preferred is a SSO or to go with a custom profile management system.
In order for you to enable tenant based authentication using the databases, you can have a connection string manager that identifies your tenant based on some of the criteria like the company code or the URL and then use the user login data from that database for that tenant's users.
The usage will be like you identify / infer the tenant code from the login credentials and then choose the database that is available for that tenant and then authenticate the user against this database. Hence the tenants can have their own databases for their user's authentication.
This is feasible and can also comply with the regulatory requirements that may be for different tenants based on their geography.

Connecting to SQL Azure from WP7

I'm currently developing a WP7 app, and I'd like it to talk with my SQL Azure database. I know there are currently two ways of doing it:
Talk to a WCF Service hosted on my web server.
Use oData to communicate with my database.
I don't know what's the pros and cons between the both of them, but I know that using the first method involves two remote calls: one: to the web server, and two: from the web server to SQL Azure. Would using oData allow me to directly communicate with my SQL Azure database? Does SQL Azure provide a REST interface for my WP7 client to work with?
If you use the WCF service approach and host the service on our web server (i.e. not in an Azure Web Role) then yes there will be two higher latency hops across the network. However the WCF service does have the benefit of allowing you to provide your own security approach for your mobile clients. I suspect that this app will be used by more than just a couple of people? If you take the approach of talking directly to the SQL Azure oData endpoint then you will really struggle with Authetnication and Authorization. It's not really designed for supporting your scenario.
The other thing to note with the SQL Azure oData endpoint is that it never left SQL Azure Labs; i.e. it was never actually shipped as part of the product and the Labs implementation is end of lifed and grandfathered to existing users only.
I know that doesn't really answer your question; the short answer is that there is no RESTful endpoint that you can access to talk directly to SQL Azure. The long answer is that even when there was one you probably didn't want to use it.
Without knowing more about your app it's a little hard to give guidance as to exactly what you should be doing. If you can provide a bit more detail I can provide some advice as to which Azure data storage technology would be best suited.

Resources