I have a project API Rest with NestJS, implements Swagger. Everything working fine, but I need protect the access to Swagger UI.
Is possible protect the Swagger UI with simply user/pass or something like this?
Related
Here is the problem.
I have an .net core web-api application with azure-ad authentication.
When I've added necessary AzureAD section to my appsettings.json file and redirect url-s to appregistration my backend worked fine.
But later I added build of react project to wwwroot folder and now, when I try to call backend method with authorize attribute I get CORS error from Loginmicrosoftonline
[CORS error from Loginmicrosoftonline]
First of all, web api project should be a daemon application so it doesn't have a sign in page as normal, nor a redirect url for AAD. And we can integrate AAD to protect our api but the api shouldn't ask users to sign in first.
In your scenario, it looks like you want to let users sign in in your react frontend app, then generating access token to calling the protected web api. I think you need to refer to this sample to integrate MSAL library in your react app(this sample containing an api written in nodejs, you can ignore api part since you had asp.net core api), and this sample for protecting your web api. You may also take a look at this answer.
And go back to your CORS issue, it appeared because you didn't use MSAL.js in your react app but directly going to the login URL. Microsoft identity platform required developers to use the library. I used to using ajax request to send a get request to the login url, and I got Cors issue as well.
I'm testing out ServiceStack to see how much faster the development is with this product rather than with Asp.Net Core's Web API or similar products.
I have successfully set up Service Stack with my own configuration of IdentityServer4 and everything runs fine.
My confusion is whether working with IdentityServer4 means I am required to now maintain a Web Api project along with ServiceStack? What's the reason the API is there?
I can see that I can make direct calls to the endpoints (requiring Authentication, roles, etc.) and that works in conjunction with IdentityServer4.
Would love some insight on why the Web Api project is needed and whether I can just completely get rid of it, as I was under the impression ServiceStack was a replacement for WCF/Web Api?
ServiceStack's mvcidentityserver project template that's used in the documentation of ServiceStack's integration with IdentityServer4 was an enhanced version of Identity Server's "OpenID Connect Hybrid Flow Authentication and API Access Tokens" example project that used to be maintained at https://github.com/IdentityServer/IdentityServer4.Samples/
The project template contains Auth integration examples with ServiceStack, MVC & Web API. The Web API examples were inherited from the existing IdentityServer's example project, which is optional and can be completely removed.
I'm working on a submission for a conference. I'd like to integrate DocuSign with Alfresco's Angular based developer framework and specifically the Alfresco Content App.
In order to keep things simple, I'd like to think about workflows that could be done 100% from the browser without any backend code of my own.
I suspect I could create a "Sign this document now" type action for any document found in the Alfresco UI. That could initiate an OAuth flow that would not require any backend services of my own.
I think I would need to put my integrator key into the SPA. This would then be visible to anyone using the app. From reading through docs, I'm unclear if it is OK to "leak" this key?
Are there other use cases I can implement in an SPA without adding backend services of my own? Things like, sending a doc out to be signed by one or more people? Or embedding a signing experience in the Angular UI?
I have seen the following series on the DocuSign blog:
https://www.docusign.com/blog/dsdev-building-single-page-applications-with-docusign-and-cors-part-1/
Having read through that and also the REST API documentation, I'm still unclear if it is even possible to implement something like this without any support from my own backend service.
I also have not found any place online where I can reach out to a developer evangelist from DocuSign to discuss my options. I believe DocuSign developers monitor SO, so figured this was the next best thing.
Great question. Browsers implement the Same Origin Policy. So, as I wrote in the blog series (see all three of my posts listed below), you will need a CORS gateway to make API calls from your Angular program running in the browser itself to the DocuSign system.
The good news is that creating a private CORS gateway isn't hard. See part 2 of the series:
Part 1. Introduction
Part 2. Building a private CORS gateway
Part 3. An example React SPA
Authentication
Your app will need an access token when it makes API calls to DocuSign. There are multiple techniques available to give your app the access token it needs:
Your app can, by itself, authenticate the user with DocuSign. In this case, because of the security issues--as you mentioned in your question--you do not use the OAuth Authorization Code Grant flow. Instead, you use the OAuth Implict Grant flow, which is designed for this use case. This flow is demonstrated in part 3 of the blog series.
You can implement the OAuth Authorization Code Grant flow in your server, and then create a private API between your server and your browser app to obtain the access token.
A private API
As an alternative to using CORS, you can just implement your own private versions of the DocuSign API methods on your server. Then your browser app would send a private_send_envelope request to your server. Your server would manage the access token, send the request to DocuSign, and relay the response back to your browser app.
This pattern is the same as your question about implementing a backend service. It will work fine but is not as elegant as implementing everything within your browser app. Depending on your immediate and future API needs by your SPA, this might be a good idea or not.
CORS support is the key
Until DocuSign has CORS support you'll need to build something on the backend. Either a CORS gateway (which only involves configuration, not software) or a private API gateway.
Please ask your DocuSign sales or technical contact to add your information to the internal DocuSign proposal for CORS support, PORTFOLIO-1100. This will help raise the priority of CORS support. Thanks.
Specific answers
Regarding:
I think I would need to put my integrator key into the SPA. This would then be visible to anyone using the app. From reading through docs, I'm unclear if it is OK to "leak" this key?
Answer: It is okay to add your integrator key (IK) to your browser app if and only if the IK is set for Implicit Grant usage (check the "Mobile App" checkbox on the IK's property sheet).
Having read through that and also the REST API documentation, I'm still unclear if it is even possible to implement something like this without any support from my own backend service.
Answer: at this time you will either need to implement a private CORS gateway or implement backend software.
I'm working on a project that uses Bluemixes APP-ID for authentication and are using Node.js for our backend. What I want to do is to be able to login with the App-ID authentication (that uses passport.js) and use this token in my Angular5 project and from there be able to store new user-specific attributes.
What is the proper way of doing this?
Thankful for any answers :)
After some research, it seems like the way forward is to create an endpoint in the Node.js that one then uses with the angular project. Just make sure the endpoint also is protected by the webAppStrategy if using that.
I have to integrate Single Sign-on in existing project. I have basic knowledge of how SSO works.
What I have already in my existing project is -
UI created in ReactJS.
APIs are in Express with PostgreSQL database.
Both are hosted on different server and communicate using APIs only.
What's going in the project -
Registration with more than ten custom fields
Login and Logout.
My need -
Implement Single Sign-on functionality
My questions -
Name of few Single Sign-on providers?
Where custom registration fields will be saved and how?
Which logic implement in ReactJS and Express?
try json web token.
https://jwt.io/introduction/
and there are so many jwt tutorials you can google them.