I am using the new msal.js for Single Page Applications (https://www.npmjs.com/package/#azure/msal-browser). The good news is I got it all working! So after logging in to azure ad I get redirected to my app with an access code and with that code msal is getting accesstoken/refreshtoken/idtoken from the azure code.
After this I am using the accesstoken to access my own web API that is hosted on my own on premise server. I am using spring boot in combination with azure-active-directory-spring-boot-starter. This all works fine too.
My question is: My server is contacting microsoft every time there is a request to the server.... why is this? It has got the JWT token from the request, the server knows clientid & client secret so why does it still needs to contact Microsoft? What is it doing/verifying? If I close the outgoing access to the Internet it is complaining "Couldn`t retrieve remote JWK set: connect timed out". So it looks like it is mandatory...
Could anybody explain how this is working? Beside this, does anybody know what range of ports need to be opened to microsoft?
Thanks in advance for your help!
Regards,
Peter
That network call is used to acquire the keys needed to verify the JSON Web Tokens.
Docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-the-signature
More: https://github.com/microsoft/azure-spring-boot/issues/802#issuecomment-571076721
Related
I have a public website developed using dot net core 3.0 which anyone can access. It basically allow users to search key information about a place.
So whenever user Search for any place I store the place information in SQL
But I am confused, how do I secure my web API. As anyone can see my JS and page source. And figure out API endpoint. Then any one can hit it using postman.
I have already configured HTTPS but is there anything I can do to secure it?
For this you can use JWT Authentication which is simple & best to secure our application.
Visit: https://jasonwatmore.com/post/2019/10/11/aspnet-core-3-jwt-authentication-tutorial-with-example-api
I am developing a Node.js web app that uses Keycloak as authentication service. I already have two clients: public client for the web app (app-web) and bearer-only for the API (app-api). On the app-api I use resources, scopes, policies, and permissions to control the access.
To check the permissions, I am using the keycloak.enforcer(...) from the keycloak-connect module (npm keycloak-connect). When I try to check permission, the server always returns 403 Access denied response. But if I change app-api from bearer-only to confidential (keeping the same keycloak.json configuration file), the client works fine and is capable to check permissions.
This problem seems to be because a bearer-only client cannot obtain tokens from the server (keycloak similar question).
My question is: Is this a normal behavior of Keycloak? Why allow the Authorization tab in bearer-only clients if you cannot use the keycloak.enforcer? Am I missing some configuration?
Thanks for your help.
I also stumbled over this bearer-only thing a few days ago. And I also found it confusing that you can enable fine grained authorization, it took me some time to find that out too. Well, a bearer-only client, as the name already states, authenticates clients only by their bearer token.
I posted this question to the Keycloak mailing list too and the answer was:
It is the expected behavior but also a UI issue. You should not have access to that tab when the client is bearer-only.
They even create an issue KEYCLOAK-10808
This is similar to what #Valentin mention.
If you want to read all the thread: Mailing list response
(Tom Vaga asked a similar question here but Luke's response didn't quite address what I'd hoped to accomplish... I'd comment there but don't have the points yet :-) Thanks! )
I've got a Slim server working well to register and authenticate users for our API, using JWT, allowing only 'authenticated' users to access certain api endpoints.
I'm now trying to setup a SocketCluster for various realtime messaging parts of the app, and I would like to restrict subscriptions to only authenticated users. I may be missing a part of the concept, but is it not possible to use the token-cookie set successfully by Slim to also authenticate to SocketCluster? (ideally using the built-in authentication process, and without having to call-back to the slim-api?) They're on different servers as sub-domains... Would I have to insert the same secret into the SocketCluster configuration somewhere?
Thank you!
I'm attempting to create a simple Hybrid Application with native API using Cordova.
I think to use a simple REST API remote to retrieve user information.
First time users have to register into server to gain account, and then the app could manage all user's api via AJAX calls.
Now, I'll appreciate your opinions and suggestions about:
I thought use LARAVELL to manage routing and authentication: there's some contraindication to this approach?
(and principal question): I've no advanced notions about security... so someone can suggest how to manage security data and remote login?
For example: store user password and username to localStorage, and send username + token to remote DB.
My problem is how implement security when make remote REST call, that is how pass data for remote connection.
I hope my questions are understandable...
Thanks
Found complete tutorial to my answer, via JWT and access tokens.
The link is:
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
Very very powerful!
Hope help someone,
I've been doing some work with OAUTH 2 in the last few years. I have a few authorization servers and several clients using them.
Anyone who has made an app or some client solution that uses OAUTH2 knows that the client secret can be a problem. One can mitigate this somewhat by using access code grant. There has been talk about using a proxy for the secret.
My question is about the redirect URI - this was meant to protect the Access Code grant process. The Auth server will only return the access code to the redirect that is on file (in the database for that client ID). The issue comes into play with mobile apps. They usually depends on https://127.0.0.1 or https://localhost for a redirect URI. Anyone can get a localhost token, right?
With this being the case, what is stopping someone from impersonating a clientID using the localhost redirect URI? Could I not make a copy-cat app, use the same OAUTH2 sign in flow using the real client ID and if I was able to get a user to login, I now have an OAUTH token to access resource servers with. Am I wrong?
If anyone can shed more light on this, I would be greatly appreciative. I want to learn as much as possible, anything helps.
The attack that you describe is a known weakness when using the Authorization Code grant for native mobile apps. An OAuth 2.0 extension called "Proof Key for Code Exchange" has been developed to mitigate against this threat through the use of a "code verifier" that is dynamically generated and only known by the real Client.
This work was standardized in the IETF as an RFC called Proof Key for Code Exchange by OAuth Public Clients, available at: https://www.rfc-editor.org/rfc/rfc7636