I'm using serviceStack for my first api service.
I have my own table "MyApiKeysTable" where I store multiple api key for users.
I use Entity Framework.
If I use OrmLiteAuthRepository it create it's own apikey table.
What I have to do to use my own table "MyApiKeysTable"?
(I don't want to use OrmLite but stil continue to use EntityFramework.)
There is some example?
You can't use your own ApiKey type, ServiceStack's API Key AuthProvider resolves its API Keys from Auth Repositories which implement the IManageApiKeys interface which all ServiceStack Auth Repositories that support API Key persistence implements.
You would need to create your own Auth Repository like the OrmLiteAuthRepository and implement IManageApiKeys how you like, but it needs to at least return a class that inherits the ApiKey class.
Implementing your own Auth Repository requires a fair bit of effort, which I'd recommend against as OrmLite is a lightweight code-first POCO ORM that only needs its OrmLiteConnectionFactory configured with a db connection string, you can still use EF for the rest of your App, but I'd be taking advantage of the existing Auth Repositories.
The alternative is to ignore ServiceStack's API Key Auth Provider and implement your own that uses your preferred data access libraries, you can use ApiKeyAuthProvider implementation as a guide.
Related
I have one use case to call on-premise REST API via Cloud Connector. It is a custom API in SAP R/3 system. I checked with API developer and unfortunately they have no OpenAPI specification for it. Thus, I could not use OpenAPI generator to generate library.
Is there any other way to call on-premise REST API in such scenario like native call with connectivity service? We might have some more use cases with the same situation in future.
Is it possible to provide a generic REST client similar to OData?
For your use-case you could leverage our HttpClientAccessor to instantiate a HttpClient.
HttpDestination destination = DestinationAccessor.getDestination("my-destination").asHttp();
HttpClient client = HttpClientAccessor.getHttpClient(destination);
HttpResponse response = client.execute(your-http-request-here);
You can read more details here
I have a naive question.
I am looking for some web application that implements Authentication and Authorization mechanism using api keys.
Example Case: Users authenticate themselves using an api key (apikey generation
mechanism is either GOOGLE or any other free service). The logic identify the user along
with the provided apikey and release resource access delegation accordingly]
For me the optimal case is to use Grails framework with oracle database.
Is there any web application for that?, otherwise how would I follow step by step to accomplish it?
I would do a search on the Grails plugin site for oauth plugins:
http://plugins.grails.org/
Look at what they offer, and maybe look at the code to see how you can extend them to get what you want.
I would also take a look at the Spring Security Rest plugin.
It really depends on authentication methods that you're using. I suppose in order to secure REST APIs, you can probably write a filter/interceptor to check against any third party auth that you desire. I reckon that you're probably having the idea of using JWT authentication for this, right?
I read these two articles 1.here and 2.here to find out what is best way to perform authentication against an Azure Mobile App when the API on the server is using Claims based custom authorization and the Xamarin client calling it is using the MobileServiceClient framework. I am unable to finalize which of the two examples in those links is the better way to go.
In the first link there doesn't seem to be any dependency on platform specific code like it has in the second link, which means I don't need to write any code in the Driod or IOS or Windows projects and can get away with doing everything in a class library itself.(Am I right here?)
Also, the first link seems to not require any provider like the second link does because I am invoking a direct service call to a Url. The second link on the other hand only seems to support Facebook, Twitter, MicrosoftAccount, Google and WindowsAzureActiveDirectory. The mandatory MobileServiceAuthenticationProvider parameter doesn't seem to provide for Custom Authentication against a sql server based User table. I am not sure about this part and cant find documentation that says otherwise.
If LoginAsync doesn't provide for Custom Authentication then its clear that I will need to follow the InvokeApiAsync route. If it does provide it then the question is: should I write platform specific(Droid/IOS/windows) code in each target project like in the second link or should I handle all the service calls in a class library as can be done in the example shown in the first link? In other words should I go with LoginAsync or InvokeApiAsync? Which of the two is the recommended way?
The first article shows off custom authentication, as you intimated. The second article shows off App Service Authentication, which has a known list. If you need to do a custom username/password, then go with the former. If you need to go with social auth or enterprise auth, then go with the latter.
My general recommendation is don't require the user to create yet another username unless you have to - which means social authentication for consumer apps and enterprise authentication via AAD for enterprise apps.
My other recommendation is to always use the client SDK for doing the authentication part. This allows you to follow the very latest practices from the provider (facebook, twitter, etc.) in respect to security, refresh tokens and other authentication requirements. Once you have the provider token, it's easy to swap it for an Azure Mobile token by using LoginAsync() with a token. See the Azure Documentation for information on this.
In all cases, you are going to need platform specific code - that means using the DependencyService (as in the second example) to execute your login code. I generally create a singleton class that wraps the MobileServiceClient in the PCL. Then create an ILoginProvider interface which has LoginAsync/LogoutAsync code in it to handle the platform dependency code. My singleton class then calls the DependencyService to get the code. You can find an example in my GitHub Repository that covers iOS, Android and UWP.
I am currently building a web app using node.js and AngularJS.
I am using loopback.js in order to construct the API and associated models. Loopback provides its own User model, role system, and ACL tools, and makes it almost trivial to setup security for the API itself. However, being an API framework, it does not offer (to my knowledge) solutions for providing access-control for routes.
I would like to use the security model provided by loopback in order to secure routes as well. For example, if a user is logged in via Loopback, I would like to use that session data in order to control which urls the user can access in my app as well, other than the API.
How would I go about this in the proper way? For example, is there some way I can integrate the auth data provided by Loopback with Passport or similar auth framework?
LoopBack is unopinionated on the session mechanism you use. It simply provides tokens and controls access via token verification. For your case, I assume you want to use the combination of both. Take a look at these two examples for a more in depth tutorial:
https://github.com/strongloop/loopback-example-passport
and
https://github.com/strongloop/loopback-example-access-control
and finally the docs:
http://docs.strongloop.com/display/LB/Advanced+topics:+access+control
Can I use spring-security-rest as a replacement of Oauth?. My app has server side part and java script client side part where I found that spring-security-rest plugin fits most. But I want to be able to authenticate other apps who want to consume my service (I want to be something like Oauth provider). Does spring-security-rest plugin support this? or should I use another plugin?
The plugin is not a fully OAuth provider. Or said in OAuth terminology, is not a full Authorisation Server.
In that case I recommend you Spring Security OAuth 2 Provider Plugin
If you are looking only for a simplistic token based authentication for your service, you could leverage the spring security rest plugin and tweak it a little bit based on your need without having to implement the full blown Spring Security OAuth2 Provider plugin. I managed to accomplish something similar with by extending some of the base classes of spring security rest plugin to modify the login payload and authentication and exposed a token/validate as a REST endpoint. I put up this as an independent authentication service that uses the /api/login API for token generation in tandem with the /token/validate to accomplish some kind of validation on token. Not a full blown Oauth scenario but serves the purpose of authentication between consumer and provider services.