I have a requirement where Multiple WebAPI services(i.e. WebAPI1,WebAPI2,WebAPI3 etc.) work for the same product and as per requirement we need to use single Middleware to Authenticate the request for All WebAPI services(i.e. WebAPI1,WebAPI2,WebAPI3 etc.)
after lots of R&d i found nothing that's works for Multiple API. Guys Please suggest the better way.
Related
I have two Django backends hosted differently, one is an authentication service(ServiceA) that handles everything auth including generating tokens using the djangorest-simple-jwt library. The other is a service for my business logic(ServiceB).
There is a route on the 'ServiceA' that verifies tokens which is token/verify. I currently verify tokens on 'ServiceB' before processing a request, by calling the token/verify on ServiceA which I think is not the optimal way to communicate between the two services. What better approach do you suggest.
Have you looked at JWTTokenUserAuthentication?
This can facilitate developing single sign-on functionality between separately hosted Django apps which all share the same token secret key.
I want to design a SPA which will have Frontend (React) and Backend-Rest API (Node.js, Express, Mongo DB). I am planning to have Single Sign-On in my application where users would be authenticating using MS-Azure AD, where a call would go to Azure AD from Frontend and in return I will get a token for that User which will be stored locally. After that, I want to call my rest API, for multiple GET, POST, PUT operations in the context of current user logged in on UI. Planning to deploy both frontend and backend on different servers so here I have two questions about securing my REST API.
CORS Implementation
User-Authentication on BE
Given the above requirements is it enough to have just CORS implemented or Do I need to again authenticate the User on BE?
Can somebody provide some best practice or experiences? Is there a lack in my “architecture”?
While CORS is definitely a consideration, it isn't Authentication (AuthN) or Authorization (AuthZ) which you need.
Depending on the number of users your application will have, how the back end will scale you might want to look at OAuth2.0 or stick with simpler session based auth but you will need something.
CORS on your back end will limit if a browser running an app on a domain other than yours to call your web services (it wont stop API requests from other tools).
AuthN - Your not logged in - go get logged in and come back to
me.
AuthZ - Controls what your users can and cant do. You might want to
enforce this at the resource level but you absolutely need to within
your business logic.
Further reading https://auth0.com/docs/authorization/concepts/authz-and-authn
Philippe from Pramgmatic web security has a free online course to get you started: https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html Its very well paced and should give you some foundational knowledge. (It might let you write off OAuth for this use case but give it a go)
CORS will not perform any user authentication. You need CORS only when your client code is served from another domain than the backend you are talking too. If it is the same server to host static client files and backends REST endpoint, you don't need CORS. If you are unsure, then don't consider CORS at all and see if it works.
But you need authentication to know which user is which.
Use case: I'm building a MEAN stack web app that adds functionality on top of an existing API service. Said service publishes an array of approximately 800 objects (that will grow by less than 25 objects a week). In order to avoid adding lots of load to this service and to speed up performance on my app I would like to "cache" the objects in my application.
My question is what would be the best practice for keeping this "cache" up to date? Express naturally lends itself to RESTful CRUD operations but I don't want to expose a public endpoint that would allow anyone to add or modify the objects from the external service.
What is the best way to restrict access to endpoints that will only be used by the application itself? Does it require a full fledged authentication scheme or is there a way to simply ignore requests that don't come from within the application itself? Or should this be done using something other than a RESTful api endpoint?
The simplest of all solutions would be basic auth which is totally okay if you use SSL. A more sophisticated solution would be Oauth2.
If you don't want to implement an authentication strategy you could require a client certificate in your new MEAN stack service (2waySSL with behavior "Client Certs Requested And Enforced").
Do checkout as well Express-JWT,JWT or JSON Web Token is an easy and light way to add authentication to your api.
I'm trying to call one of Magento REST APIs (say products api) from a NodeJS application using a regular HTTP Request. I know that Magento APIs requires OAuth to authenticate the user/application, and this is where I'm a bit lost.
With Magento or any OAuth application, the end-user who is using the app has to click "Authorize" in order for that application to receive the token, and then the application will be able to communicate directly with Mangento APIs.
In my case, we are talking about 2 servers, Magento and NodeJS, that will talk to each other. So There is no user involve to sort of "Click" the authorize button and validate the auth request.
The point of what I'm trying to achieve is grab product data from Magento, store it in a DB, then make some changes, after that make it accessible via NodeJS REST APIs. (That is a hard requirement and I can't change it).
My question is, Do we have to write custom Magento REST APIs that doesn't require OAuth, or maybe require the regular basic HTTP Authentication (username/password). Or there is a way to use OAuth and authenticate my Node application directly?
I hope my question is clear, if not please let me know and I will try to fix it. Thanks!
After wrestling with a similar situation, I decided to use Magento's SOAP API. All you have to do as far as authentication goes is to set up an API user in the Magento backend and then use the username/password in your API calls (I think, it's been awhile). Not sure if this fits your use case but it saved me a lot of OAuth headache.
I am making a small Rest based webservice. I have used OAuth and other authentication mechanism before but never implemented one by myself. Can some one give direction on how to do this in either NodeJs or even in any other framework.
Use this. It has a lot of examples inside that repo.
Besides of that OAuth I would use some api-key auth (maby generated in your online service). And of course limit the access - protect your servers from too large traffic from a single api-key.