I am starting a new project and using javascript based UI as fronted and google cloud endpoints backed by google datastore for data storage.
I don't need to use any of the google services for user login etc. In other words, i will have my own table to store username, pwd and other profile info.
So, the questions are:
1. How will my service based frontend will hold the session?
2. How will it understand that requests are going for which user account to return user specific data?
Also to start with, I have so far created an endpoint which basically returns true or false on passing username to it. (just to mimic valid user or not).
The question is do i really need to configure any security to invoke this api from the javascript client i have?
Even if you want to use custom usernames and passwords, you'll need more than just a process to send and retrieve this data from your endpoint.
Consider using something that's there already. E.g. webapp2 has a basic auth module which allows you to have your own database with usernames and passwords but already has many required security measures in place.
A tutorial I've used to implement this in the past: https://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
So the basic answer is Google Cloud Endpoints is best suited for applications which users google accounts as authentication mechanism.
So if you are using cloud endpoints, and wanted to have custom authentication mechanism, you have to create your own.
How will my service based frontend will hold the session?
Upon successful authentication (by any form either user credentials, third party social login etc), you need to setup session for that user eg; by using session cookies.
How will it understand that requests are going for which user account to return user specific data?
Cloud Endpoint cannot tell that, so you have to write an custom filter or interceptor to check if valid session or cookie exists and either reject or continue the request.
To pass the current authenticated user who is requesting the api, you need to inject the user informations somehow (using DI, or request properties etc) into the ApiEndpoints, so with that you can process the request accordingly
Related
I have been trying to read through existing information about this topic. I even installed KeyCloak server locally, configured the realm, the client and used Postman to send some requests to KeyCloak, and received some json response.
My problem is that - unless I misunderstand something - none of the descriptions seem to fit my goals.
Our application already has user management and we rely on user identity and roles / access rights configured in the system. The backend runs inside Tomcat and we run a Polymer 1.0 / Javascript frontend to call the REST services of our backend. I cannot get rid of user management as our DB is highly dependant on user to object assignment when deciding the scope of the objects for which the particular user is responsible.
All we need is an extension of our system by the possibility of foreign authentications (like social logins) in the future.
We have now explicit login that delivers a session cookie, Servlet filters to check the presence of this cookie, etc. In the server we use the login token / user identity in each REST call to filter the results from the DB to those available to the particular user.
What I need is a flow like:
in the fronted we check if we have active session (existing code)
if not we redirected the user so far to our own login page, logged in, created the session cookie on server and then returned it. On client side we saved this and added to every REST request as authoriation token.
Now with OIDC I'd like to insert a new unprotected query that checks if OIDC is configured. If not, we keep the old solution. If yes, I'd like to get redirected to KeyCloak login, and - and this is the most important for me - I'd like to get back the user identity (or some role that we associate administratively to the user - using which I could identify one of our configured users.
I tried experimenting with the Tomcat solution but that simply blindly hides the authentication procedure and merely allows or blocks REST access to the backend resources. This is not enough for me, I need some kind of user identity which I can use in the server side.
Also a javascript solution only provides communication between frontend and keycloak, but we need the backend to know who has logged in.
I think this topic and all the used lingo is too complicated for me. Could anyone give me some easy advice how to solve this with best practices?
Thank you very much
For a web-application portal, which is accessed via internet through web-browser, there is a requirement to implement the following authentication flow within the WSO2 API manager.
End Users of Application (Portal-Web Thin client) must login using a user/password scheme.
The user & credential information are stored in a local application RDBMS database (eg- MySQL).
Application has user management screens to add/delete/update users and map roles.
API manager must authenticate the user against the local user store and generate a JWT/Ouath2 token.
There are custom password policies to be configured (for eg, user must be locked after 5 failure try).
End user will use the generated token to access the protected API.
API Manager should authorize the token and route the API to the appropriate micro service.
From the documentation we found that, a secondary user store shall be created to allow the end users of the application to be part of WSO2 API Manager users, and hence the authentication will be taken care by API manager itself. I would like to get a better understanding on how this can be implemented.
Changes expected in end-user database is very dynamic via user management screens in the application, does this need to be updated to API manager user store in some manner? Or can the API manager user store can be configured directly read from applicable users table.?
Can API manager performs the encrypted password validation, configured in application DB against each user?
Is there any alternate approach, for eg, my application expose a rest end-point for authentication, and the API manager invokes this end-point to perform the authentication by passing the username and password received as part of token api.?
You can plug the Application's User store as a secondary in the API Manager and achieve your requirement. Refer to the official documentation on configuring a Secondary User-store for more detail.
Further, if you are having a JDBC User store, then you can either customize the queries of the secondary user-store in the API Manager to query the user entries correctly. In addition, you can also implement a custom User-store manager and plug (if you are having more customized fields and operations).
Answering your questions
Changes expected in the end-user database are very dynamic via user management screens in the application, does this need to be updated to API manager user store in some manner? Or can the API manager user store can be configured directly read from the applicable user's table?
No, it is not required to perform any manual changes in the API Manager unless if you haven't configured the User-stores properly. However, be in note, that if you are planning to use the user's from your application user-store to create APIs and subscribe in the API platform, deletion of those users can cause inconsistent behaviors in the platform.
Can API manager performs the encrypted password validation, configured in application DB against each user?
You can write a custom User-store manager to handle the password validation as you like.
Is there any alternate approach, for eg, my application expose a rest end-point for authentication, and the API manager invokes this end-point to perform the authentication by passing the username and password received as part of token API.?
I can think of one alternate with the REST API approach. Which is to develop a custom Handler and engage it with APIs to perform the validation in addition to Token validation. In brief,
Develop a Synapse Handler
Engage the Handler with the APIs along with the default APIAuthenticationHandler
Read and extract the username and password from the Transport header in the custom handler
Call the application's REST endpoint and check the validity
If successful, continue with the API invocation (continuing with the usual token validation process and all), if not, drop and respond back with an error
But, please note that this external validation process needs to be fast enough to not to block the API Manager for a longer period.
We have a Spring Boot web app which uses JWT based authentication/authorisation.
Now, we want to add OAuth2 support so that users can login using their Google account.
That would be easy to do using Spring Security.
However, the requirement is a bit different.
If the user wants to use the Google login functionality, he first needs to link their Google account. Basically login into our application using his/her credentials, and on their profile page link their Google account.
The flow would be something like the following:
Click the “Link Google account” button on user’s profile which redirects them to Google
In Google choose the account you want
Google returns with a code. After that, make a request to our backend, on an authenticated endpoint e.g. POST /users/{userId}/accounts which will receive the token returned by Google
In the backend, verify this token by making a request to Google
If all is good, link user’s account with Google by updating the db accordingly
My question is, for step 4, what is the best practice for that? How can I use all the stuff that Spring Security is offering to achieve this?
Thank you in advance,
You have the authorization code and you exchange for access token all over https and all in backend.
There is no need to validate access token ( I don’t think spring security even does this part for integration with google ) at your end.
This should be done by google when you request its resource.
I'm looking for some advice about how to execute a authentication implementation on my web application with some specific requirements.
The web application consists of a angular frontend and a spring-boot backend. All of this is hosted on Google Appengine and I’m using Google Cloud Datastore for the database.
I want to implement some kind of authentication system now where the user uses email and password to log in. The users should only be able to create accounts if I have allowed that email to register. What would be the best way to implement a system that achieves this?
I’ve been looking at Firebase for the authentication part and that looks good but how do I integrate this with spring boot to limit access to the site depending on if the user is logged in or not?
Another question is about the create user requirement. Would a good solution to this be to store emails that are allowed to register in my database, and then check every time someone wants to register if their email is in there before using Firebase to create that user?
I'm not very experienced with authentication implementations so any advice is appreciated.
I think that Spring Security + Stormpath its a good choice. Here is one nice tutorial: https://scotch.io/tutorials/build-a-spring-boot-app-with-user-authentication
And about the registration permission for enabled emails you should really store on DB to have control over it, I dont see any problem with that.
I am new to RESTful Web Services and I'm trying to design my first secure web service using JAX-RS. But I have got this doubt.
Imagine I have a messenger API where I have a "/posts" web service, which would give me all the posts for the user who calls it. So I have designed a basic auth filter which does the authentication and if valid user, it passes the request to the /posts service which gives a list of posts for the user. Now the problem is the user in my DB has a user id which is not exposed to the user. Inside the /posts service I need the userId to get the posts of the requesting user. So my filter does the authentication and gets the userId for the logged in user.
My question is how to pass this userId to the /posts web service ?
My approach now is to add this userId as a request header info in the filter and then pass it to the /posts service.
But I am confused if this is the right approach to do it, or should this scenario be handled elegantly in some other way?
Please help me to understand what might be the best approach to do it.
It sounds like you're considering creating your own security when there are already established standards that are well documented out there. I've used OAuth and JWT tokens in the past to secure rest end points. Depending on your specific requirements, you may be able to use Basic Authentication.
When it comes to security, it's rare that you'll be able to do a better job then the experts, so if you can follow a standard, you probably should. The additional benefit being the next person to come a long has all the documentation and support to go along with it.
Update:
Just having the user ID in the request would not be sufficient. Anyone who knows someone else's user id would be able to spoof being that person and post to the endpoint as the other user.
"My question is how to pass this userId to the /posts web service ?"
Sessions can be used to store the internal user id. If you already have them logged in with a session, you should be able to pull the user id from the session. If you were to use JWT (which is stateless) you can pull whatever information you have stored in the token to accomplish the same thing.