I am building a mobile app in which the users need to be authenticated via TrueVault which is a HIPAA compliant data store. TrueVault offers a REST API and generate an access token post basic authentication. They have endpoints to check token validity etc too.
We need to do 2 things:
1) Authenticate all users via TrueVault and store the auto generated TrueVault id in Parse to facilitate data mapping.
2) Setup an interceptor in Parse which verifies the access token with TrueVault before serving any protected resource.
What would be the simplest and most efficient way to implement the above? I have gone through the tutorial to add Third Party oAuth to the mobile apps, but TrueVault does not have oAuth in place yet and thus needs authorization requests via Basic Auth only. Also, would we need Cloud Code for the above or Custom Web Hooks?
Thanks
Sameer
i would suggest you to use retrofit, Gson(or jackson) and rxjava(rxAndroid) in order to handle all api calls, i made a quick overview to the api documentation and this libraries should work for this problem.
links:
https://github.com/square/retrofit
https://code.google.com/p/google-gson/
https://github.com/ReactiveX/RxAndroid
Cheers.
Related
I have to implement OAuth for graphql API in Magento, I went through the documentation of Magento but I found that only we can authenticate by using username and password
https://devdocs.magento.com/guides/v2.4/graphql/authorization-tokens.html
https://devdocs.magento.com/guides/v2.4/graphql/mutations/generate-customer-token.html
We are creating a PWA application and web application is going to use it directly
Is there any other way to authenticate means any other authentication layer
Including this below to this very old question, if in case some others coming across this question.
Magento Graphql in the core implemented currently to handle more of frontend user request which will be in the form of either asking for some data that's either only to read or submit personal data (such as placing order with address)
There are modules available with the support of Graphql to handle E2E ERP sync (products & order fulfillment) , OOTB does not support everything that you might able to do with the use of oAuth Integration token + REST API.
You would want to determine the actual outcome or scope to decide on the authentication / authorization mode and then decide on the API layer medium. If in case of Integration token based approach is what decided for data / access security reasons then REST API will be easier option for the most of the OOTB functionalities.
Im trying to find some best practices on how to solve my problem.
I have a microservice application with oauth2 and firebase for authentication and authorization.
Our application needs to connect to a 3rd party rest api which is secured with oauth2 as well.
Is it possible to integrate both implementations or do i need to make my own solution?
One of my co-workers implemented the authorization-code flow needed to access the api and we basicly store access and refresh_tokens in the database to access this 3rd party api. But it doesn't feel right, i cant find any best practices either, can anyone help me out?
What your co-worker implemented is pretty typical: separating out the authentication and authorization for your own application (which you manage with Firebase) from your users authorizing your use of the 3rd party API.
Here are some best practices you should be following when implementing your OAuth flow:
Use the state parameter to avoid CSRF attacks. Store it in your database and compare the callback state with the one that you randomly generated for the user
Encrypt access and refresh tokens. Refresh tokens in particular provide long-lived access
Verify that the scope you asked for is the scope that was returned: some providers allow users to adjust the permissions, which can lead to unexpected errors
Make sure your refresh tokens don't expire. Check with the provider's docs to see how refresh tokens are deauthorized. Some are time-based, some are based on new refresh tokens being issued, but in any case, make sure your refresh token stays valid, as if it is not, you must get the user to re-authorize your application
You can also use a managed OAuth provider to abstract away all these elements. Xkit, which I work on, integrates with Firebase Authentication so your users can authorize your app, and you can retrieve each user's tokens with one API call.
I'm sorry if this question is asked before, but I'm still confused.
I'm currently creating a REST API with laravel. I'm using passport to secure the API-endpoints. The API should be used/accessed from several websites and SPA's. BUT all this sites need to access the API on there own behalf. So there is no user that need to sign in! I found a lot of tutorials that cover the topic of authorization and authentication but only on behalf of a user.
So my question is: What oauth grant type shoud i use to secure my API considering that all api consumers act on there own behalf?
I tried to use the client credential grant because the documentation said that
The client credentials grant is suitable for machine-to-machine authentication.
But that creates a bearer token and it seems not save to store it in a SPA or generally on client side.
Has someone experience in this topic and can please provide an answer (maybe with a short explanation)?
A simple example of how I want to use some endpoints of the API to provide some context:
I created a location endpoint that receives a zip code and returns all the relevant places. I want to use this in a form. So that the user inputs his zip code and dynamically receives all the places in a select box, so that he can choose one and proceed with the form.
Thanks in advance!
I currently have an asp.net Web API that uses identity authentication which an angular client then uses to authenticate users using an access token.
I want to have a another separate restful API that deals with the logic, crud operations etc side of things but I want this to have [Authorise] on the controllers to ensure it is secure.
What would be the best way to achieve this? Do I have to install identity on this logic API too?
Any help on this would be really appreciated.
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs