With OAuth implicit flow when we authenticate the SPA gets a redirect which has the access_token and id_token as hash fragment, but this doesn't work with the hash-based routing of admin-on-rest. Is there a way to get the hash fragments other than creating a custom Admin component with Browser router?
You can pass your own instance of history to the admin component (not documented yet: see the code. By default its the hashHistory. See history documentation for other options.
You can create a custom menu.
https://marmelab.com/admin-on-rest/Admin.html#menu
You can use the React Router Link element which accepts objects and set hash routes.
<MenuItem key={"cc"} containerElement={<Link to={ linkObj } />} primaryText="All Approved Tales" onTouchTap={onMenuTap} />
Related
I am trying to use the Docusign API for my development.
But here is one issue with the authentication API .. it needs a Redirect URL.
Because I need to use this API in the Rest API tool and in AJAX call. so it is not possible to provide the Redirect URL .
Can't we call this API without Redirect URL in AJAX or in REST API tool.
This is part of the rule of OAuth 2.0
The redirectUrl is used to actually redirect the user somewhere after they authenticate.
But it is also used to ensure that the clientId (integration key) was used by the right app to go to a valid URL that was registered with them. This is to protect from potential phishing.
So, yes, you need to have one, and you need to ensure it's registered for your integration key.
If your app is a single page application then you should use OAuth Implicit grant.
If your app is a thick client app, then Implicit grant is also used. In this case, it is common to use a private scheme such as larrysApp://app/redirect as the redirect url and register the scheme with the OS so your app will receive the URL.
Also, please be sure to NOT use the authentication category of API methods in the DocuSign eSignature API. They're obsolete. Instead, use OAuth, as documented on the DevCenter
I'm running through cooking up my own test IdentityServer, but I'm hitting a snag. The ClientUri and RedirectUris must be specified for every browser based client. I know these can be stored in the DB, but is there any way to insert wildcards here?
Each of our customers receive their own subdomain and I would like to simplify user management by allowing all browsers attempting to access any of our apps at *.ourcompany.com to be treated as the same client in the identity server. Is this possible.
You can implement your own redirect URI validator. But for security reasons, this is not recommended as it expands the attack surface.
Redirect Uri Validator Interface
How to register your custom validator
Discussion about redirect uri
Identity Server4
I think you can add AddCustomAuthorizeRequestValidator in the startup. Still, it is not recommended to modify the redirect URI validation.
Add Custom services
Related Discussion
For IdentityServer4, you can implement your own IRedirectUriValidator and register it using the AddRedirectUriValidator extension method in Startup.cs.
services.AddIdentityServer(options =>
{
// ...
})
.AddRedirectUriValidator<CustomRedirectUriValidator>();
By default, the StrictRedirectUriValidator is registered but can be overridden by calling .AddRedirectUriValidator as shown above.
I have an api project written using laravel which uses passport to generate api tokens. These tokens are used to distinguish who is hitting my routes so that the appropriate data is returned. All of this is working currently.
Both the token generation screens and api routes are contained within the same project. So hitting:
example.com
Brings you to the login screen. Once you log in, you generate a token and then use that token in subsequent requests to the api routes. The token is included when making requests for:
example.com/api/route1
example.com/api/route2/id1
Etc.
Toward the end of the project a requirement has come up to increase the security of the login page. I would like to generate a client certificate that I provide to my users that is necessary for accessing the login page.
How would I do this without affecting how I have the api routes setup? In other words, I am looking to have a workflow for users like this:
import certificate into browser
Now that certificate is installed, user can access login page
login, generate token
use token to make programmtic calls to api routes. These calls should not require the landing page certificate.
Is this possible? Or will adding the client certificate for logins affect the api routes as well?
Thanks for any advice.
You could wrap your routes which require a certificate around a middleware. This middleware should to check if the certificate is installed otherwise redirect them to the pages accordingly.
Checkout the docs
https://laravel.com/docs/5.4/routing#route-group-middleware
and
https://laravel.com/docs/5.4/middleware#assigning-middleware-to-routes
You can also use gates and policies for certain actions: https://laravel.com/docs/5.4/authorization
Lets say a user can update a post, but cant delete it. Those policies are helpfull for it
We're trying to use the JS widget to enable change password (password's not expired, just changing it).
The REST API requires a stateToken but i can't see any way to create/generate a state token.
We've got the widget working for other scenarios but just not this one.
Are you trying to use the /authn/credentials/change_password endpoint? That one does require a stateToken, but it's only available in the authn flow (when the status is PASSWORD_EXPIRED).
If you're trying to change a password after the user has logged in and you've converted your sessionToken to a session cookie, you can use the /users api:
/users/:id/credentials/change_password
Documentation for that endpoint is here:
http://developer.okta.com/docs/api/resources/users.html#change-password
I want to create a WebAPI service for use in my single page application but I also want it to be available for a mobile application too.
When users are using the SPA they are signed in using forms authentication and have a session cookie but if they're using the mobile application this wont be the case.
Is it possible to expose the same API controller as 2 different endpoints where one is authenticated using mutual SSL, a token or as a last resort basic auth and the other uses the session cookie?
For example take the following controller:
public class TodoController :
{
public IQueryable<TodoModel> GetTodos()
{
...
}
}
Can I add multiple routes that map to the same method?
https://myapp.example.org/api/todo
https://myapp.example.org/mutual-auth/api/todo
I want to configure IIS to use mutual SSL for the mutual auth endpoint and use forms authentication for the other endpoint.
Short answer: yes
This is a very broad question, so I won't go into excessive detail about every aspect. I think you should also take a look at BreezeJS because it makes things building these applications significantly easier.
DESIGN
Do you want to build in pure HTML and JavaScript or incorporate CSHTML? The decision is yours, but if you want to eventually create native-based applications using something such as PhoneGap Build, you'll want to stick to pure HTML and JavaScript so that you can compile the code later.
Do you want to use another JS library such as BreezeJS to make life a little easier when designing your controllers? Out of the box, your Web API controllers will be prefixed with api/{controller}/{id} in WebApiConfig. You may want to add {action} routing if you don't go with something like BreezeJS so that you can have more flexibility with your controllers.
Lastly, let's talk about the Repository Pattern and Unit of Work Pattern. This is a bit of hot-topic, but I find that usually creating a repository allows you a great deal of flexibility and it's great for dependency injection. Adding an additional repository layer to your controllers allows you to differentiate between different users or means of access such as a SPA or mobile application very easily. You can use the exact same controllers, but simply draw from different repositories.
SECURITY
You'll want to touch up a bit on [Authorize], [ValidateHttpAntiForgeryTokenAttribute], [Roles("")], and several other data annotations for starters. This is a huge topic which has a ton of reading material online -- invest in some research. Your controller can have multiple actions which have varying limitations on them, such as preventing CSRF on the SPA, but be less restricted on Mobile by either utilizing varying actions on the controller or drawing from separate repositories.
Can I add multiple routes that map to the same method?
https://myapp.example.org/api/todo
https://myapp.example.org/mutual-auth/api/todo
Yes, absolutely. You'll just have to do some extra work with your routing configuration files. With BreezeJS, you get access to not only /api/ but /~breeze/ which works very similarly.
You can secury your Web API using the way you want. For exemple, you can provide a custom Message Handler or a custom Authorization Filter to provide external authentication via token.
There's a full session from the ASP.NET Team that covers this, you just need to choose which one you will pick up:
Security issues for Web API.
Assuming you are hosting web API in IIS, if you enable the forms authentication, FormsAuthenticationModule establishes the identity. That is, if you look at HttpContext.Current.User or Thread.CurrentPrincipal after a successful authentication, the object of type IPrincipal will have the identity (which is FormsIdentity) and the IsAuthenticated property will be set to true. You can do the same thing for any other credential using a custom DelegatingHandler. All you need to do is to validate the credential (token, user id and password in basic scheme in HTTP authorization header or whatever) and set the HttpContext.Current.User and Thread.CurrentPrincipal to an object of type GenericPrincipal with GenericIdentity. After this, the same action method of a controller which is decorated with Authorize will work for both types of requests.