Single Sign-On with oAuth2 or Shared Session - session

I have three client-facing web applications all on different subdomains (one of these web applications actually has 700+ different subdomains that are changing all the time). I've written an oAuth server that I was going to use to allow users to login to each of these systems; this works, but I've begun running into differences between what's happening and what I would like the behavior to actually be when writing the logout code.
Some of my requirements for single sign-on are:
If logged in on one system, you are logged in on all systems (obviously).
If logging out of one system, you are logged out of all systems. Even across subdomains.
If you are logged in on two different machines, for example -- a cellphone and a desktop. When logging out on your cellphone, do NOT logout on your desktop.
We already have written the oAuth provider and we'll be using it for projects not coupled to our domain (API's, etc.), but I'm not entirely convinced that oAuth is the best solution to use to meet the requirements outlined above. I'm thinking that maybe a shared session would be better. The shared session idea would involve a cookie stored on the main domain that has information about the currently logged-in user.
What are the pros and cons of either approach? Are there other approaches you might take? Are there security risks to consider? Concurrency and scalability considerations? Please help!

I would have taken oauth route with a variance.
Oauth :
The approach I would prefer is - access token issued at a device level (User- Application/Device) .
Ie there will be a process for registering your device and granting access for it.
This will result in the generation of an access token specific to the device and stored in it as the case may be. (For eg:- for mobile you may need a longer expiry access token and webpage a lesser duration one).
This way you can decouple the login/log-out across devices.
However the con of this approach is:
More complicated implementation, as it involves device registration
Tracking the action of each user will be difficult as you have two or more access token tied to a user.
Pros :
This is a fairly standard way
The Con 2 can be worked around (Adding access token attributes etc).
Session based SSO management
Pros :
Simpler than OAuth
Cons :
Security constraints around -session/cookie handling
Extendability at later point to add more use-cases is limited

Related

What is the modern approach to secure communication between backend and mobile application?

I've read a lot of articles on this subject and they all suggest completely different things that I can't yet structure in my head.
I have one backend app (spring-boot + kotlin). I have nginx and one android (kotlin) mobile app uses backend api and of course Postgres. By the way backend app and postgres are packages in docker containers via docker-compose.
My task is to make the API of my backend service can only be used by this mobile application and no one else. But I also want it to be able to use the API if I have a Web application in the future.
I would be fantastically grateful if you could describe, in a few words, modern technology that could be used to accomplish my task.
For example:
Spring-security: a huge thing that you don't know what to do with, most likely you can use it to solve your problems, but it's overkill. But if you decide to use spring-security, this will help you {...}
...
By the way, I'm not against spring-security, I just really think it's too much for my task. But I'd be happy to hear your opinion.
Your Problem
My task is to make the API of my backend service can only be used by this mobile application and no one else. But I also want it to be able to use the API if I have a Web application in the future.
You have in hands a very hard task to complete. While not impossible it's very hard to accomplish with code written on your own or by trying to leverage security features on your framework of choice.
To understand why it's so hard you first need to understand the difference between who is in the request versus what is doing the request.
The Difference Between WHO and WHAT is Accessing the API Server
I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.
After you understand this idea and it's ingrained in your mindset, you will look into mobile API security with another perspective, and you will be able to see attack surfaces that you never though they could exist.
Possible Solution
I would be fantastically grateful if you could describe, in a few words, modern technology that could be used to accomplish my task.
I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.
The best approach to solve your problem is to go with a Mobile App Attestation solution suggested in the answer I linked. A Mobile App Attestation needs to be able to work in tandem with your mobile app and backend in order for the backend to have a very high degree of confidence that what is making the request is indeed a genuine version of your mobile app, that hasn't been tampered with statically or at runtime, and it's not under a
MitM Attack
The Manipulator-in-the middle attack (MITM) intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context
Be aware that solutions to solve your problem that are specific to the backend or to the mobile app will not be able to achieve a very high degree of confidence in securing your API backend from serving requests not originated from your genuine mobile app, but it's better to have them then nothing.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
The easiest way probably is to define a shared secret on the phone and the backend service.
On the mobile phone, with each request, you send the secret, e.g., as an HTTP header.
On the backend, you need to implement a Filter (e.g., OncePerRequestFilter) that checks the request for the secret and compares it to the value stored in the backend.

Device based access policy for Laravel

Security is not my area of expertise. I am working on a lightweight administrative Laravel web app for internal use by company (small) employees:
The app is intended to be used only by the employees
Remote work (from home) is not uncommon
Smartphones and laptops are usually used when working remotely
I would like to secure it as much as possible - beyond authentication, access controls or 2FA. I am trying to think of ways to make it virtually invisible to the public, but still available for the employees. Defining proper rules for crawlers might make it a bit more obscure but I think more could be done. Network based restrictions would limit the employee flexibility.
Based on this I got the idea that the app could be made available only if the request is made by an authorized device. I am not sure however whether or not this is a good approach. Neither do I know how to tackle the problem of authorizing the various devices and making that information available to the server during communication.
i.e. How would I tag a device as authorized so that I only have to do it once and can reliably validate the information in a web app? Regular authentication as well as role based access would still be in place but the app could return a 404 response if the accessing device is not whitelisted.
Is there a way to achieve something like this while not making it too restrictive for the users or painful to set up? Or is there a better method for achieving the same result?
Consider a VPN?
If you are hosting the device on an internal network, you could see if the IT dept. can set up VPN access to work remotely (in most cases, this is already in place) and then it does not need to be accessed over the internet via a URI. Instead you can simply navigate to the internal address once you're in the network through the VPN - no public access and no need to worry about pesky web crawlers!
It also makes it easier to moderate your application. For example, if an employee leaves the company you can simply revoke their VPN access and they'll no longer be able to access the application.

google cloud ruby gem / running commands on behalf of oauth-authenticated user

Getting a bit lost in the diverse documentation endpoints (here, here, to name a few…)
This one is pretty usable for a given account by providing a json key as an environment variable.
The thing is, I just don't see how commands can be run on the behalf of a user authenticated via oauth — practically speaking, where do you specify the oauth user token ?
Thanks for sharing this insight
Best
google-cloud-ruby (which you linked in your question) is designed to provide access via service account credentials, as you noted. For help with "lower-level" access in which you managing your own OAuth tokens, you might consider google-auth-library-ruby. However, if you can use a service account instead of a user account to use the higher-level access provided by google-cloud-ruby, I believe it's probably the best approach, as recommended in Google Cloud Storage Authentication:
Due to the complexity of managing and refreshing access tokens and the security risk when dealing directly with cryptographic applications, we strongly encourage you to use a verified client library.

Double authentication for RESTful API

I'm currently building a RESTful API to our web service, which will be accessed by 3rd party web and mobile apps. We want to have certain level of control over API consumers (i.e. those web and mobile apps), so we can do API requests throttling and/or block certain malicious clients. For that purpose we want every developer who will be accessing our API to obtain an API key from us and use it to access our API endpoints. For some API calls that are not dealing with the specific user information, that's the only required level of authentication & authorization, which I call "app"-level A&A. However, some API calls deal with information belonging to the specific users, so we need a way to allow those users to login and authorize the app to access their data, which creates a second level (or "user"-level A&A).
It makes a lot of sense to use OAuth2 for the "user"-level A&A and I think I have a pretty good understanding of what I need to do here.
I also implemented OAuth1-like scheme, where app developers receive a pair of API key & secret, supply their API key with every call and use secret to sign their requests (again, it's very OAuth1 like and I should probably just use OAuth1 for that).
Now the problem that I have is how to marry those two different mechanisms. My current hypothesis is that I continue to use API key/secret pair to sign all requests to be able to access all API endpoints and for those calls that require access to user-specific information apps will need to go through OAuth2 flow and obtain access tokens and supply them.
So, my question to the community is - does it sounds like a good solution or there are some better ways to architect this.
I'd also appreciate any links to existing solutions that I could use, instead of re-inventing the wheel (our services is Ruby/Rails-based).
Your key/secret pair isn't really giving you any confidence in the authorship of mobile apps. The secret will be embedded in the executable, then given to users, and there's really nothing you can do to prevent the user from extracting the key.
In the Stack Exchange API, we just use OAuth 2.0 and accept that all we can do is cutoff abusive users (or IPs, in earlier revisions without OAuth). We do provide keys for tracking purposes, but they're not secret (and grant nothing of value, so there's no incentive to steal them).
In terms of preventing abuse, what we do is throttle based on IP in the absence of an auth token, but switch to a per-user throttle when there is one.
When dealing with purely malicious clients, we unleash the lawyers (malicious in our case is almost always violation of cc-wiki guidelines); technical solutions aren't sophisticated enough in our estimation. Note that the incidence of malicious clients is really really low (single digits in years of operation, with millions of daily API requests).
In short, I'd ditch OAuth 1.0 and switch your throttles to a hybrid of IP and user based.

What are the options for sharing sessions between applications?

Say that I have two or more completely separate web applications. The might even be running on a different server and use different language & framework.
What I need to do is to share state, or at least authentication. For example if the user logs in on one of the websites and goes to another one, he will be able to authenticate using his credentials from the first website.
For example, if I have one website running e-commerce and another one is a blog, I want all the e-commerce users be able to comment on the blog with the information from their profile.
What is the best way to do this? Is it even a good idea?
The only solution that comes to my mind is abstracting away the profiles and authentication and create some kind of global profile and then use that on both of those websites. But that seems like a really complex solution considering what I need to achieve.
OpenID seems like a good way.

Resources