I have 2 scenarios where I want to implement the token based authentication:
I want to implement token based authentication when a user logs in. i.e.. based on username and password , user should get a token and that token should be used with every request.
I have a separate independent module which has ID and secret Key. It has to communicate with server in specific interval. I want to implement token based authentication for this module also.
In both the cases token should have these properties:
It should be in payload.
It should have a timeout period
When token expires server should provide a new token,if the session is not expired else it should logout.
Is OAuth 2.0 right choice? If any other approach is better, Please tell me.
What should I do to solve this problem?
Which is the best place to put token in request -Payload or header? and Why?
OAuth 2.0 is a good choice for the requirements you mentioned: timeout period and refresh-ability.
Stormpath has an excellent OAuth2.0 implementation that gives you what you are looking for out of the box.
Stormpath has both remote and local OAuth2 Implementations and both are freely available. For the remote case you can rely on our backend using any REST client (http://docs.stormpath.com/guides/token-management/) and any of our SDKs. For the local case you can use our Servlet plugin to run a Web-app with out of the box OAuth2 support. Using the docs link above, you can find documentation for these resources.
Using the Stormpath Spring Boot integration, for instance, you could do something like this:
http -v --form POST http://localhost:8080/oauth/token \
> 'Origin:http://localhost:8080' \
> grant_type=password username=micah+demo.jsmith#stormpath.com password=<actual password>
(This example uses httpie to interact with a locally running Spring Boot instance). The line I've bolded above conforms to the OAuth2.0 spec for authenticating with usernames and passwords. What you get back is a response like:
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 325
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Aug 2015 16:02:08 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: account=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4; Expires=Wed, 05-Aug-2015 16:02:08 GMT; Path=/; HttpOnly
{
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4",
"expires_in": 259200,
"token_type": "Bearer"
}
This provides a bearer token that can be used on subsequent requests as well as an expiration. Plus, it has the advantage of being a JWT - JSON Web Token. The JWT is cryptographically signed to ensure that it hasn't been tampered with and it can be decoded to provide additional meta-information to your client, including user information, access controls and expiration.
You could do something very similar using the grant_type=authorization_code for interacting using an id and secret, such as for the independent module you mentioned.
This article goes into more detail on token authentication with Java.
Full disclosure: I am a Stormpath employee and I wrote the article referenced above.
Related
I am working on an Elixir Phoenix web project where I want to interact with Google's Indexing API.
Google uses OAuth2 to authenticate api requests and actually has a decent documentation on this.
But it only explains the process using one of the supported libraries in Python, Java, PHP or JS.
I would like to make the HTTP requests by myself to retrieve that access token. But the request format (including headers or parameters) is nowhere documented and I cannot even figure out from the libraries' source code.
I have tried requesting https://accounts.google.com/o/oauth2/token (also other eligible URLs) in Postman with the "OAuth 2.0" request type.
But it was all just guessing and trying. All the research did not help.
There are useful instructions including HTTP/Rest examples at Using OAuth 2.0 for Web Server Applications. Each step has the individual parameters fully documented. Here are some useful excerpts.
Send user to Google's OAuth 2.0 server. Example URL:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http%3A%2F%2Foauth2.example.com%2Fcallback&
response_type=code&
client_id=client_id
Retreive authorization code (your domain). Example:
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
Request access token. Example:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=https://oauth2.example.com/code&
grant_type=authorization_code
Use API. Example:
GET /drive/v2/files HTTP/1.1
Authorization: Bearer <access_token>
Host: www.googleapis.com/
So I am trying out Spring Security using OAuth2 in Spring Boot 2.
I based this site as my reference:
https://dzone.com/articles/secure-spring-rest-with-spring-security-and-oauth2
Once the Authorization server has been set up, tokens can be obtained from it using http://localhost:8080/oauth/token endpoint by passing a POST request.
What makes me squeamish is that the POST request must have my username and password as plain text
POST /oauth/token HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="grant_type"
password
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="password"
password
------WebKitFormBoundary7MA4YWxkTrZu0gW--
Isn't this a very big security threat?
Wont every router along the way from the client to server be able to see the content of the POST body?
Now to solve this suppose I use a client side symmetric encryption algorithm in javascript to encrypt the password. Since all clients will get the same encryption algorithm, the routers along the way can symmetrically decode my password. Which is not good enough.
If I had to pass the credentails as plain text, then what is the use of Spring Security?
Am I doing anything wrong here? There is no way big corporations use this.
Is there any additional facility in Spring Security that allows us to prevent this situation?
You have to use HTTPS (TLS), see The OAuth 2.0 Authorization Framework
Token Endpoint
[...]
Since requests to the token endpoint result in the transmission of
clear-text credentials (in the HTTP request and response), the
authorization server MUST require the use of TLS as described in
Section 1.6 when sending requests to the token endpoint.
If your authorization server implementation allows unsecured communication, it is not compliant to OAuth2 spec.
I am implementing a login process using Spring Security + Spring session to build login functionality for a REST like backend service that needs to create/mantain a session.
I am not sure if I am approaching the solution the right way since I am using a custom endpoint to create the session manually. Maybe the session creation needs to be done in the Authorization method itself? Or maybe there is a way to have spring create the session after some request validations in the backend? I am using a custom filter and provider for this.
Also with my current configuration, I am having an issue since the backend API is creating a new session with every request, even when it should return 401.
The requirements of this solution is as follows:
The clients will login to a third party authentication/authorization provider. Once validated, the provider will issue an access token.
The API must validate the client's access token with the third party provider. Once validated, the API must create a session and return a new token (or sessionID) to the clients.
Future calls to the API should include the token (or sessionID) in the header/cookie so the API gets the session of the client.
The big question here is: Is there a common approach to follow for using token based authentication linked to a user session? If so, what if I need to do custom validations before having spring session create the session, and also add custom attributes to this session?
My code is located here: https://github.com/munilvc/api-session/tree/master/src/main/java/com/munilvc/poc/security
For instance, some sample executions:
1) Execute custom login:
$ curl -X POST http://localhost:8080/app-api/login/createsession -v
> POST /app-api/login/createsession HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200
< x-auth-token: 15a06ce8-5b34-401a-a05f-a0d933926245
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 29 Aug 2017 01:28:24 GMT
<
171{"username":"username1"}
2) Call another endpoint with provided x-auth-token:
NOTE the x-auth-token is refreshed in the response. (means a new session is created - This is what we want to avoid, this also happens when response is 401)
$ curl -X GET http://localhost:8080/app-api/accounts/2 -H "x-auth-token:15a06ce8-5b34-401a-a05f-a0d933926245" -v
> GET /app-api/accounts/2 HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.49.1
> Accept: */*
> x-auth-token:15a06ce8-5b34-401a-a05f-a0d933926245
>
< HTTP/1.1 200
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< x-auth-token: 42a5db80-e5e1-4127-bd85-e468af4a8fb2
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Tue, 29 Aug 2017 01:29:08 GMT
<
870{"id":3,"name":"Account 3"}
PS: I am not sure if I am allowed to provide a link to the code in stack overflow. If not, I can paste the code here as well.
Thank you very much!
Based on your requirements, OpenID Connect can be used to authenticate the end-user and authorize a client which will then receive an AccessToken. Then the AccessToken may be used to call the back-end API's (Resource Servers).
Take a look at this sample/guide on how to setup login within Spring Security 5 against an external OAuth 2.0 or OpenID Connect provider. This will meet your requirement for logging into the application using an external provider and creating a secure session within Spring Security.
Now that you are logged in to the application and the client has an AccessToken, the client can use that AccessToken in the request (Authorization Header) to call the back-end API's (Resource Servers). The Resource Server should be setup to validate the incoming AccessToken. Take a look at this sample (master and jwt-support branches) on how to configure a Resource Server.
I would strongly recommend becoming more familiar with OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
Good luck!
We're writing Windows app and we also have backend server. And we want to implement Google Login. So the Windows app asks the user, it receives the JWT token and passes it to our server. I the token, there are 2 keys: aud and azp. On our other platoforms (iOS, Android), the azp is the OAuth Client ID of the application from Google Cloud Console and aud is OAuth Client ID for our server. But on Windows, they are both same. On other platform, this is handled by libraries provided by Google, but on Windows, we're using low-level HTTP. But we can't find a way to specify the aud. How can we do it?
EDIT: I found out about audience:server:client_id:... in scope, but it doesn't work for me either. It gives me Error: invalid_scope.
This is the request (using HTTPie):
http -v https://accounts.google.com/o/oauth2/auth client_id==windows-ios-app-client_id.apps.googleusercontent.com redirect_uri==my.bundle.id: response_type==code 'scope==audience:server:client_id:server-client-id.apps.googleusercontent.com'
GET /o/oauth2/auth?client_id=windows-ios-app-client_id.apps.googleusercontent.com&redirect_uri=my.bundle.id%3A&response_type=code&scope=audience%3Aserver%3Aclient_id%3Aserver-client-id.apps.googleusercontent.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: accounts.google.com
User-Agent: HTTPie/0.9.2
I think we should provide this scope while you request for token. This is probably automatically done if we use Google/Sign-In library, provided that we set the server client id.
[GIDSignIn sharedInstance].serverClientID = #"YOUR_SERVER_CLIENT_ID_HERE"
By the way, If any am looking for a way to implement the same using AppAuth. I did not find any solution yet.
Send the web client id as a parameter audience=WEB_CLIENT_ID when requesting token endpoint.
I have an ASP.NET Web API 2 which is using OAuth 2.0 for authorization. And let's imagine I have a simple Web API method, like:
GET: http://host/api/profiles/user123 (requires OAuth 2.0 token)
So, with Postman, it is easy to test this Web API. I get an OAuth token for user123 from the Web API OAuthAuthorization method and then I use that token in the header of the HTTP request:
GET /api/profiles/user123 HTTP/1.1
Host: {host}
Authorization: Bearer {Token}
Content-Type: application/json
Cache-Control: no-cache
However, if I save my test and run it later (either by Postman itself or by Newman), the token will be expired at that time and it won't work.
How can I make Newman to get a new token automatically for user123 and use it in the HTTP request?
Note: I know how to use Postman's Authentication helpers to ask for a new token. But this scenario doesn't fit the test-automation. In test-automation, I want to remove any human interaction.
It's simple, get your access token at run time and save it into environment variable. Then use it in your next Get request.
In Get Token request, do this in Tests sections:
var body = JSON.parse(responseBody);
pm.environment.set('AccessToken', body.access_token);
In your main Get request, you can use the environment variable in Authorization header:
Authorization: Bearer {{AccessToken}}
Hope this helps.