I'm writing some Scala code that will run on a server. It needs to periodically connect to Office 365 to pull some data using OData. I don't have access to AD to register an app. I'm using a username and password for authentication.
Are there any suitable Java or Scala libraries I can use for the authentication step? At the very least, I'd love to see some sample code in any language that shows the authentication step. (Please don't provide samples that use a .Net library for the authentication step. I need to be able to reproduce the logic in a JVM on Linux.)
There is an excellent example at https://github.com/onelogin/java-saml, which provides a class to prepare the request and a class to process the response. There are some things to fill in, but the wikipedia entry on SAML should be enough.
Related
I have created some API's for login but am not sure about creating a login with a Username/Phone Number. Can someone help out with any tutorials or any sort of idea on how to create a REST API for phone number authentication on a Spring-Boot Project?.
I also require a suggestion on how to bring the third party login like We log in with a google account on most of the web applications
From what I've understood in your question you are concerned about security and you would like to implement something like an MFA for your users.
Since sending OTP codes is expensive (not really but let's assume you want something free) and requires to access external APIs to send the codes (with its own logic) what I can suggest to you is using something like a TOTP (Google Authenticator or Microsoft Authenticator).
Here is a good (and most important WORKING) guide I've followed some time ago:
https://medium.com/javarevisited/spring-boot-two-factor-authentication-78e00aa10176
With the right adjustments and improvements (or simplifications in case) the main logic will be perfect for your application of MFA.
For the login using for example google/facebook/SAML SSO and so on I can suggest you check on OAUTH2:
https://www.baeldung.com/sso-spring-security-oauth2
Hope it helps
Hi Ninja please read this example and seraching internet
https://dzone.com/articles/add-login-to-your-spring-boot-app-in-10-mins
I have a REST API that i call from within my web application in order to get the result. I have a client which asks for my API only but I can't expose my API without any security. Apparently I have to use it with my application as well, so far the API is not secure, I want my client to consume my API with valid credentials, whether OAuth 2.0, JWT , Certificate, or some extra mechanism. How can I achieve this objective, any working example in Java with Azure will do and it should not hamper my pre-existing WebApp which is using the API for its own purpose. Thanks well in advance.
I tried to do it and I even completed the task but eventually found that it does not provide much value in my case. In my case the API is accessed by long-running background tasks where human login is not practical. Now there is no way for an application to log in to Azure, it must be done by a browser application which is protected by every conceivable way against automatic login. Other than that, Microsoft's solution for these kinds of tasks is the shared secret-protected token which essentially means that the app and Azure share a secret (a password generated by Azure). This does not differ significantly from the case where you store and check the passwords.
Other than that, there is the issue of Azure Active Directory and Azure Active Directory v2.0. This is a bit confusing because both solutions are based on OAuth2.0 tokens but Azure AD v2.0 is really a very different beast. For starter, Azure AD v2.0 tokens cannot be decoded as of writing this answer, they can be consumed only by Microsoft services. So if you want to know, who was the user that has logged in, you need to pass the token to the Graph API and that supposed that you have a logged-in user. For Azure AD, the token can be decoded and verified by your app, see this demonstration application, how to do it
So as a summary, I recommend protecting your API with Azure tokens only if the application you provide the login service for is an user-facing application that the user interacts with after the login. If it is a long-running server-type task, protecting it with Azure AD is pretty pointless.
It is easy to protect the web API using the Azure Active Directory. Microsoft provide lots of code samples to help developer to get started.
You can refer the links below about the code samples for your scenario:
Azure Active Directory Code Samples
I am currently using Bitrix24 for HR management and task management.
Since it provides an option to integrate third party applications with it, I am stuck in how to implement OAuth for my application with Bitrix.
I went through documentation provided by Bitrix24 but it uses php code.
Is there any sample JAVA code available for OAuth implementation?
Unfortunately havent seen any examples on other that PHP languages, but
if you are already experienced with Java it should not be a problem.
In case you are working with bitrix24 cloud edition - you need to
1) create application for marketplace using you partner account and obtain secret key and application id
2) send this secret key and application id from your application written on any language and receive
3) receive request token and refresh_token and use them to access rest api provided by Bitrix24 https://training.bitrix24.com/rest_help/
more details on what kind of request you need to do: https://training.bitrix24.com/rest_help/oauth/examles.php
hope this help you.
You can use API like this for JAVA
I am adding LEADS from the API, and updating the same LEAD
to add the LEAD:-
Method: POST
URL:-
https://.bitrix24.com/rest/crm.lead.add
Parameters:-
{"fields[TITLE]":"LEAD_TITLE","auth":"AUTH_TOKEN"}
It will add the new LEAD in you Bitrix Dashboard.
I am trying to authenticate users with a REST service I built using drop wizard. From previous questions I found great example of authenticating with openID on github: https://github.com/gary-rowe/DropwizardOpenID
However, I don't want to deal with openID at the moment and simply want users to 1. Signup, 2. Signin
My questions/confusions are:
For Signup: I'm thinking about sending users's username/password as a POST request with the credentials as either form parameters or part of JSON body. However, isn't there a security risk here of sending password in plain text?
For Sing-in I'm thinking about using Authenticator in Dropwizard.
I don't want to store passwords in plain text. What strategy should I follow after I get the users' password in the POST as plain text? I'm looking for some java libraries that can assist in password salt and MD5
Thanks for the shout out for the Dropwizard OpenID project. Glad it was able to get you started.
If you want a pure web form type approach, take a look at another of my projects MultiBit Merchant which provides multiple authentication methods (web form, HMAC, cookie).
You'll need to dig around to really see it working since this project is not designed as a demo as such and is very much a work in progress.
After loading the project, look for WebFormClientAuthenticator which will get you in the right area.
The general principles involved with Dropwizard authentication are discussed in this blog article. Although it targets HMAC you can easily adapt it for web form or cookie using the source code referenced earlier.
It's all MIT license so just use it as you need.
Looking at the docs, we can see that Dropwizard supports a standalone OAuth2 implementation:
http://dropwizard.codahale.com/manual/auth/#oauth2
OAuth2 has several advantages, many of which can be read about here: OAuth 2.0: Benefits and use cases — why?
Things to note:
when dealing with authentication, you should always host over HTTPS to ensure transport encryption
Dropwizard claims their OAuth2 implementation isn't yet finalized, and may change in the future. As a fall back, they do support Basic auth as well, which when used over HTTPS would be still reasonably secure.
Implementing this does not involve using any third party "social" authentication services such as Google or Facebook.
Can someone please share the complete Java code to create an AuthnRequest for web browser sso based SAML2.0. We have a service provider to use a 3rd party IDP. I am working with a J2EE component in the DMZ that wouldn't let any jar files to add, so I am looking at writing complete Java code to produce an AuthnRequest and redirect the user to the IDP.
Thanks in Advance
I strongly doubt there is any implementation out there that does this without any external dependecies.
I suggest you look into the implementation of simplesamlphp. The code is quite easy to understand but to implement this correclty and securly at your end I would recommend that you have a good understanding of the SAML 2.0 protocol
I would advice aginst this as there is a big risk of introducing security issues. This will take time and should be thoroughly tested