I want to know if there are a way to encrypt data with a key generate through the oauth2 authentication? I need to secure data for user on app that use only oauth2 login.
Firstly there is no such thing as OAuth 2.0 authentication. The Identity Layer built on top of OAuth 2.0 is called OpenID Connect so you may be referring to that. Secondly, securing data for a user inside an app is independent of the way of authenticating that user. You could dynamically generate a secret and encrypt the user data with that.
Related
I am currently looking to create a private web app with separate front-end and back-end on AWS using nodejs without signup and 3rd part logins, so generated user and passwords. I have looked over a few post, seems Oauth2 only provide more security when I am allowing 3rd party login or services, because it is a authorization framework. so I have a few questions:
In my case, I don't think authenticate oauth2 token is anymore secure than authenticate hash password. So I don't need oauth2 am I correct ?
Other than SSL on transfer and then use session-token after user login, what other ways I can make the backend API more secure ?
Please provide links or examples(best with nodejs )
Thanks,
Can we create a single sign on with multiple NodeJs applications? Main application is using JWT authentication. I want to use same user authentication to work in other applications without having complete user profile information.
Yes you can. Include whatever information is useful for you when signing your jwt token. Send this token to the other applications, verify it and you can authenticate the user.
I read articles on choosing the right authentication mechanism and I understand that JWT just defines a token while OAuth is a full framework that can use JWT. There are also other frameworks (Firebase?) and token-standards.
Now for my specific use-case I have a single-page-, microservice app with Angular2 that will run the whole day in the browser without any refreshing, in a rather old B2B environment (2GB ram, IE11). So social logins are not needed and a lightweight solution is preferable. Can you suggest anything?
This questionary could help
Are you using a forms based web or a SPA?
Forms: Use server sessions
SPA: Use authentication tokens (JWT or opaque)
Using authentication tokens, do you want to avoid storing session data at server side?
Yes: Use JWT
It does not matter: Use opaque tokens
The client needs to verify token or extract token claims?
Yes: Use JWT signed with RSA
No: Use JWT with HMAC or opaque tokens
Do you have an API for third party?
Yes: Use OAuth2 or OpenIDConnect issuing authentication tokens after succesful user login
No: Nothing extra
Do you want to manage user passwords?
Yes: Make your own registration and login forms
No: Integrate social logins (they use oauth/OIDC)
I am an azure user and I am using the mobileservice client to generate azure tokens from oAuth provider tokens.
I want to let users securely read/write to MY API, and it appears that the only unique identifier that it gives me is an integer userID. The token, a more difficult to guess string, appears to change every time I generate an unauthenticated client.
What is the best practice for doing this? Could someone just open a client with my appkey, guess the 25 character user ID, and then call my api?
How can I use the token to provide secure read/write to my api? Or is using the User ID,https, obfuscation, etc my best bet? Maybe i could use a tutorial on how tokens work.
There are two or three pieces here.
1) The OAuth provider (Facebook, Google, etc.) is likely providing you a cryptographically signed JSON Web Token (JWT) - secure and trusted
2) The ZUMO token is likewise a JWT - cryptographically signed and can be trusted.
3) You can convert the JWT to the claims that are backing the JWT by called getIdentity() (node.js server SDK) or GetIdentityAsync<> (ASP.NET server SDK)
You can find some information on my blog: https://shellmonger.com/2016/04/08/30-days-of-zumo-v2-azure-mobile-apps-day-5-custom-authentication/ - I'm right in the middle of discussing authentication for Azure Mobile Apps.
I'm looking at the oauth implementation twitter proposes here:
https://dev.twitter.com/docs/auth/oauth
and oauth libraries like signpost:
http://code.google.com/p/oauth-signpost/
they both talk about using the client secret during the oauth flow, which means for my client application, I'd need to store the secret in the application itself. This is probably risky as someone could grab the secret out of my app. Are there any methods around storing the secret within my app? Am I misunderstanding the oauth flow?
Thanks
There are no ways of storing client credentials in a native or JavaScript application without making them practically public. Also, putting those credentials on a proxy server and having the client talk to the server (so that the credentials are not exposed) doesn't really solve anything either. Now you have a problem of authenticating the client to the proxy.
The right solution is to have special support for native applications provided by the OAuth service. OAuth 2.0 uses pre-registered redirection URIs and other techniques to accomplish a reasonable client identity verification for such clients.