I'm testing the Intuit OAuth2.0-demo for nodejs. link
The demo uses the node-quickbooks package within an Express server. The demo works fine but I have a question more about the general flow "best-practice" for a multi user setup.
For example:
You have your own web application that supports many users. The users login to your web application and decide to grant your web application access to Quickbooks.
How would i properly handle multiple users?
Currently, when I authorize the oAuth connection between the web app "demo" and Quickbooks the auth token is stored server-side.
The Express session is not unique to the specific logged in user on the demo web app. When I connect from different devices to my local demo web app they are all using the previously server-side stored auth token.
What is best practice for multiple users?
The demo provided from Intuit was extremely helpful but it did not provide any additional code in the boilerplate for maintaining multiple users and properly storing the access_token / refresh_token / realmId inside a storage (such as Mongo). I ended up merging this demo project with a boilerplate Passport local strategy that uses mongo. I updated the mongoose model to store the Quickbooks Online tokens. This way when the user logs into my webapp via Passport we can just pull the tokens that are associated to there user account inside mongo.
I will probably make a repo for this since I think it can be helpful to others. For now, if anyone ends up finding this thread and has any questions feel free to send a message.
Regards
Related
I'm trying to find the best way to implement authorization. At this time, only thing I need is a simple free account, but later I may include user roles for a "premium" account using a payment system like stripe.
I have already started reading and experimenting with Auth0 but then found some other ways I can do it.
Passport.js + MongoDB, I've seen some examples and work great but I think it is missing a way to control users, rules etc with a friendly panel (like Auth0)
Using Auth0 and setting up a custom database (mongoDB). Also seems to be behind a paywall.
Also found a way to use both Auth0 for authentication and Mongoose for a MongoDB database. In this one, everything is saved in mongoDB except passwords. It's also the only setup that deleting a user from Auth0 is not affecting the MongoDB (which is bad I guess).
So, some questions are
which method you think is better?
What is the difference between 2 and 3,
Is there a way to implement rules in passport (e.g. redirect new users on first login)
If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?
A bit of a chaos question but any help would be helpful
The best authorization strategy depends of the scope of your applications in a short or long term.
Monolithic or simple web with Private login
For example, if you will have just a simple(MERN) web with a one simple backend (api rest) or a monolithic application like this mern example with an internal or private login in your organization, your authorization strategy could be as simple as :
(1*) /login express route which receive user/password, validate them in database and returns the clasic jwt token and an array of options (react routes) to which the user should have access
web app (react) must render pages whose routes match with the received routes
web app must send the received token to any api rest endpoint invocation
when api receive the invocation from react web, must validate the existence of token as a header. If not exist, must return a 403 error.
(2*) If token exist, must try to validate it (well-formed, not expired, correct signature, etc).
(3*)If its is a valid token, you must perform a last validation: Is user with "guest" role allowed to execute a DELETE to an endpoint /user/100.
(4*) Classic solution is to have some tables in your database like: user, roles, user_roles, role_permission, permission_option. Option table must have registered all your api endpoints and its method. Also this could be used to create the relation between user <:> web routes. Check this
Modern requirements
Modern and large organizations require:
Social Network Logins
Internal/External Users
Not interactive logins (robots, schedulers, etc)
Several web apps
Several Mobile apps
A lot of Api Rest
For this case, MERN app is not a good choice because is ALL-IN-ONE. Common strategy to implement the previous requirements is to have several artifacts deployed in several servers:
web app (react, vue, angular, linkstart, etc)
apis rest (nodejs + expres, java, python, etc)
authentication/authorization: oauth2 platform/provider, Identity/Access Platforms, etc
If this is your case, you must split your MERN app into several deployable artifacts: web, api and security.
Oauth2
No matter if you are concern just for login or how ensure the authentication and authorization for your webs, apis and maybe your mobile apps, you will need : OAUTH2
You could develop your own security platform taking into consideration (1*), (2*), (3*) y (4*) or use something like:
auth0
keycloack, etc
More details here: https://stackoverflow.com/a/62049409
Your questions
which method you think is better?
I think if you will use auth0, you will save time and effort. With auth0 you just need a simple express app, with some endpoints like /login, /callback, etc. Or if you use auth0 + passport.js, these endpoints are managed by passport.js
I advice you , review how OAUTH2 flow works before to use auth0 with/without passport. This link helped me a lot.
What is the difference between 2 and 3,
As I read, auth0 and another platforms offer a user management service or it can connect to your users service (AD/LDAP, database, api, etc). So
Is there a way to implement rules in passport (e.g. redirect new users on first login)
Yes. You can add some logic when callback is redirected in your nodejs with or without passport.
If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?
Nowadays database support a lot of rows. So for your production database try to optimize or monitor it. Another option is to hire a database administrator to perform these tasks.
References
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://auth0.com/user-management
https://stackoverflow.com/a/62049409
https://fiware-tutorials.readthedocs.io/en/latest/roles-permissions/index.html
https://dba.stackexchange.com/questions/36935/best-relational-database-structure-for-this-data
https://www.mind-it.info/2010/01/09/nist-rbac-data-model/
Managing single sign on using passportjs for my own web applications - sharing login
https://aws.amazon.com/blogs/apn/how-to-integrate-rest-apis-with-single-page-apps-and-secure-them-using-auth0-part-1/
Facebook OAuth security using passport-facebook
Asynchronous Django, Ajax, Jquery Information
relational models
I am building Angular app that should interact with Xero API. Xero doesn't provide any SDK for Typescript (https://developer.xero.com/documentation/libraries/overview), but Node JS SDK seems to be the most useful lib for my task. But I am in stuck in how to organize the workflow between my app and their https://github.com/XeroAPI/xero-node-oauth2-app . I mean - I'd like to have some advises from the person who has already made similar apps (Angular + Xero) on following questions:
1) in this guide https://developer.xero.com/documentation/oauth2/auth-flow they say that user should open the page with URL like https://login.xero.com/identity/connect/authorize?... - but is there any way to make user log in without UI? If not -
2) how this process can be made in my case? In my Angular app I can make a button 'Log in to Xero' that will open new window:
window.open(xeroUrl, 'xeroAuth', 'location=yes,height=770,width=620,scrollbars=yes,status=yes');
where User log in, provide access to his organisation. The session tokens are created on the backend. But what next? How can I pass those tokens to my Angular app from that new window and then use them to make calls to Xero API?
3) Is the way to open new window for loggin in to Xero suitable for this case or maybe there is a better way to log in to Xero and get session tokens?
Thanks in advance for help.
Unfortunately, SPAs are not compatible with the Xero API.
You'll need a web server to manage your local session (OAuth flow, storage of Xero API tokens), and for your interactions with the Xero API.
While SPAs are a tempting option (they are convenient from a deployment point of view), there are changes coming to how browsers handle cross-site cookies, which break how SPAs perform session management.
I'd suggest reading https://leastprivilege.com/2020/03/31/spas-are-dead/ for more information and a discussion of the implications. The authors of the article created OIDC Client JS which is a great library for doing PKCE-based SPA auth in the browser, though it's only useful for same-domain applications now thanks to the impending browser cookie changes.
Further to this, the Xero API does not support CORS, so even once you complete the OAuth flow, the browser would be prevented from performing API requests from your Angular SPA.
To answer the specific questions:
1) The user will need to log in to Xero and grant consent for your app the first time they use your application. If you're storing server-side refresh tokens after the initial consent, your user will only need to log in to your local session, either via Xero SSO or another mechanism (user/password).
2) To create the initial Authorisation Request, it's best to use the node.js starter app. It will manage the OAuth redirect flow for you (it uses the excellent openid-client open source package for this).
I have to develop a SSO system and I have to do it using IdentityServer4. I have gone through the documentation and examples but I have some doubts. To be honest I don't quite get it, but I am really new in Oauth2 and OpenId Connect.
We will have a bunch of clients (web apps), each of one of those will have their own Web APi. And we have to have a centraliced Login App for all of those. I think the example with the javascript client is the closes to the thing we want to achieve. Also, a user might have permission to access one client (app), but not another, so the IdentityServer must provide information about wich clients (apps), that particularly user can access.
So, These are the things I don Understand:
1.- In the documentation I can read there are two tokens, an Identity Token and Access token. But in the examples all I see are the access tokens. It seems to me that the access token is the one with all de info needed. am I wrong?
2.- Also, I have read about de Grant Types and I'am not quite sure wich one we must use. At first I thought to use the ResourceOwner password, because it requires the client, the secret, a user and a password, wich I assumed it could be the end user. I found this example http://sunilrav.com/post/How-to-Customize-Authentication-in-Identity-Server-4 were one could customise the class that validate the user and password. I thought that this could be the way to go but the documentation statesa about this grant type "...This is so called “non-interactive” authentication and is generally not recommended.". The javascript client example uses the implicit Grat type, wich the documentation states is for browser-based applications (our client apps will all be browser based using react).
3.- can my Login app be a Javascript (react) app? The example Quickstart is made in MVC.NET. This login app connects directly to de IS4 server without asking for a access token? (In the example the app is embebed in the IS4).
4.- Can I protect with IS4 a WEB API which is developed in .net framework (4.6.2) and not in .Net Core? I havent Found Any examples.
the documentatios I followed is the offcial. The examples (quickstart) are also there. (I can't post more than two links).
thank you very much for reading and for your help.
Identity Token and Access token
Identity token is the one that contains the identity of the user, that will tell the client app that what user it is. After successful login, user will be redirected to the client app with these tokens. Response will also have claims, such as permission scopes, name , email you can add custom claims as well.
Access token is used to access your protected web api resource. You have to send the access token with each request to access the api.
Grant Types
Grant types is basically how you want your client app to interact with the auth server. https://identityserver4.readthedocs.io/en/release/topics/grant_types.html
can my Login app be a Javascript (react) app? Your client app can be a javascript app but your auth server that is the identity server which will have the login/signup pages(and other login jazz) and account controllers should be you MVC app. As, everything is already done using MVC and Entity framework, why you want to re do everything.
Can I protect with IS4 a WEB API I am not sure about this one, but I dont see why you would not be able to do it.
This is a good answer for basic IdSrv flow!
UPDATE In my understanding, the answer to which Grant Type to use it depends on your client application requirement. If you want to use a Javascript client you can use Implicit Flow, but you won't be able to use refresh tokens and your access token is not 100% secured with the browser as client can access it.
If you want to open your web api to public then you can use client credentials flow. If you want to be more secure you should use Hybrid flow or HybridClient credential flow. ( again depends on the requirements ). with this you will be able to use refresh tokens and in this way your access token would be more secure.
I am currently developing an API project using ClaudiaJS API Builder to build and deploy it on AWS Lambda with it's endpoints exposed on AWS API Gateway. I am planning to have at least a webapp and a mobile app for this platform, so I'm focusing mostly everything on API's, including the authentication methods(signup, signin, logout, verify account, ect.).
Unfortunately, as I am not using Express in this project, I can't find a good way to build these auth methods since every library I find has some dependency on Express (e.g PassportJS).
My initial thoughts for the login workflow are:
User submits login form containing user/pass stored in PostgreSQL
DB.
Front app calls auth API.
API method compared credentials against the user DB (Using BCrypt).
In case of success, API method generates JWT containing a few user details on it's payload and returns to the consumer app.
Is there any good approach for achieving this goal without using Passport and/or Express? Are there any other libs for this purpose or should I just use a regular db query and generate a JWT in case the evaluation succeeds?
Thanks for everyone in advance.
Best regards,
Enrico Bergamo
I'm a bit confused about how to properly and securely authenticate users using my REST API and provide and option to authenticate using other OAuth 2.0 providers as well (e.g. Facebook, Google, etc.).
Scenario
Users interact with a web application which should consume my REST API. Users should be able to login and perform CRUD operations both using username/password and by using 3rd party services such as Facebook. I will be using SSL to encrypt the traffic to the website and the API.
Without taking the 3rd party login services in consideration and by studying the various questions already asked here on SO, I thought about handling user authentication as in the picture.
Technologies and current idea
The REST API is written using JS using NodeJS and Express. The WebApp provided through another NodeJS instance is mostly AngularJS with templates which consumes the REST API.
My current idea is to let the WebApp handle the login sequence and let Facebook save their token in my DB using the callback. But this solution smells too much of workaround!
Questions
Is the authentication sequence depicted in the image correct?
How is the above authentication sequence compared to the Resource Owner Password Credential flow in OAuth2.0? Is it worth using OAuth2.0 instead of it?
How can I integrate login through 3rd parties (i.e. Facebook)? Any suggestion or (better) example?
References
passport.js RESTful auth
Login with facebook and using oauth 2.0 for authentication of REST api calls
And many others here on SO :)
My 2 cents..
The process looks good to me.. I would re-issue the token on each sign in and also keep it inside a database so tokens can be revoked easily.
Use PassportJS. Its got support for OAuth flows and supports many 3rd party integrations like FB, Twitter, Github etc..and since its a nodejs middleware.. its integration will be very tight within your application..