Our application is currently written in .NET Framework + Razor, and traditional Membership authentication.
I am trying to modernize it, so I stawted to work on a .net core + react solution, but it has to cooperate with the existing application.
So currently, we have the old monolit, and an other .net core apis, called by react. The react is embedded inside the Razor.
Now I need to choose what authentication to use. I guess membership and other session based authentications can't be used, because there are multiple apps in multiple domains. So I need tokens.
I am not really sure about which solution can or should I use. I know buzzwords like bearer token, .NET Identity, OAuth + OpenId, but can I use any of them in this situation, to use it to protect the API and as well for the "traditional" razor app?
And where should I store the token? Should I store it in a session of the razor app, and pass it to the React too?
I need a solution where user credentials are stored in our own database, not something list Google's or Facebook's single sign on.
Is there a good tutorial for this?
You're asking for a lot here. I would suggest brushing up on this topic from the beginning. If you only know the buzz words you won't get anywhere quick. I can give some quick advice but if you aren't familiar with the basics this won't really help. There is no quick solution for your answer.
I would suggest authentication on the edge of the application to achieve a nice separation to work with the existing app. I would create a light weight method that receives the request from the client and gives the api gateway proof of the user identity in a way the API can verify. I would go with OAuth and OpenId Connect protocol to achieve this separation. Also, take a look at IdentityServer, it is an open source product that makes it easy to implement single sign-on and access control(Authentication) in web applications and HTTP APIs.
OpenId Connect to authenticate users
OAuth to limit collaboration for these light weight method calls
JSON Web Tokens (JWTs) for user identities
Now the problem with this solution is that there is a high level of trust between this light weight method call and the rest of the system. The principle of defense in depth would suggest to implement a layering strategy, so that if this layer is compromised another layer is there as the next line of defense. I'll leave the rest up to you.
Related
I am used to develop web apps using the Meteor JavaScript framework, which handles authentication. I am now developing for the first time a web app using a Node.js (Express) + GraphQL stack on the backend, with React on the frontend, so I have to handle authentication myself.
I read a lot of things about it, and I like the idea of token based authentication. I am thinking about using JWT, so I don't have to deal with sessions.
I know there are a lot of tutorials, but each one always has a sort of disclaimer like : "this tutorial is not production ready, use it for educational purposes only...". Every time I read something about authentication, it seems to be something so difficult to implement that I shouldn't implement it myself. But I don't want to use services providers like AWS Cognito, Google Cloud Platform because I want to keep my users data in my own system and database. I don't want to be tied to a third party provider.
I know how to generate jwt tokens, refresh tokens, how to verify them, etc... I am able to develop a working auth system, but I am never sure I do it in a secure and production ready way because of all those comments I can read on the Internet.
So, what would you recommend to implement a secured and production ready authentication system in a Node.js server without being tied to a third-party provider. Do you know any complete tutorial or documentation about it?
There are several approaches to implement authentication for an application.
Use a identity server manage by you
Use a fully manage service for authentication.
Use authentication middleware.
Write your own authentication solution.
If you are afraid in vender locking I would suggest to use an authentication middleware like PassportJS which will facilitate the abstraction of authentication strategy with its implementation.
On the otherhand writing your custom authentication can be challenging in terms of security, specially finding snd fixing these vulnerabilities.
I have in the past done a hand rolled app that stores a user token on client side $window.sessionStorage.
I have since then realized this is not safe. I am now looking for the most safe, standard way to secure an app that uses a node/express backend api that I will make, and also uses a front end that makes requests to this api such as angular for web or a native mobile app. Plus, whenever I would close the browser, I would have to re-log in because the $window's session storage was wiped out.
From what I've researched thus far, one of the safest ways to date if you're going to handroll it is to store a jwt in an http only secure cookie.
However, I'd kind of like to use a service that already exists, such as oAuth. Couple questions:
1) How safe is oAuth in terms of keeping ownershp of your userbase? What if 3 years from now oAuth just suddenly or slowly dies out? Aren't all my users technically stored on their server? How would I keep my users native to my app?
2) If I'm going to be creating a startup app in the same realm as snapchat, twitter, tumblr, etc... would it be generally recommended to use a service like oAuth to handle my authentication? Of course the future is unknown, but assuming the best, that my app would reach millions of users, would using a service like oAuth still be a smart choice? It seems like once you start using oAuth, there's never any going back to storing your users in your own database a year or two down the road.
Thanks
OAuth is an open standard for authorization.
Maybe you're thinking about Auth0. There are a lot of services that can handle user authorization for you, including Auth0, Stormpath, Apigee, UserApp, AuthRocket or Amazon Cognito. Whichever you choose, make sure that you can get the database from them in case you want to stop using their service. Not everyone explicitly offers an easy way to leave them but if that's important for you then make sure who suits your needs and who doesn't, and base your decision on that.
As for OAuth, see the https://en.wikipedia.org/wiki/OAuth article.
There's a huge list of OAuth providers on Wikipedia but those are services like Twitter, Google or Facebook. In a way you can use one of those services to manage all your logins but as soon as they see you as their competition, you're in trouble. I've heard stories like that.
Some interesting read on the subject:
The dangers of OAuth/Social Login
Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
OpenID Vulnerability report: Data confusion
Social Login Setups – The Good, the Bad and the Ugly
At the moment we are building a web shop as a SPA application. All the SKU information is provided by a Web Api 2 service.
Of course the web shop is publicly available to every visitor, and currently there is only one user who can log in to manage the web shop: the administrator.
For the administrator we built in the basic authentication with the bearer token, as a lot of samples on the internet shows us, but now we need every user to log in before they can see any product. Not really what we have in mind for a web shop ;-)
What we would like to implement is that our Web Api is not available to the world but only for our SPA application. Every blog post or tutorial on authorization seems to assume that there is always a user that needs to log in, in our case there is only one user: the administrator.
The AllowAnonymous attribute makes specific API calls available to the world again, so that's also a dead end.
Basically it comes down to preventing any other apps (web or mobile) to fetch the data from our Web Api.
What would be the best and most secure approach to secure our Web Api without having the anonymous visitors of our web shop to log in?
Solution for now: Altough I'm not 100% happy with this solution, it will work for now. We implemented the OAuth Implicit flow with CORS enabled for specific domain.
You should take a look at the OAuth 2.0 client credentials flow. The client in OAuth speak is the application and not the user using the application. This way you can make sure only your SPA app can access the backend API.
The parts that only should allow access to the administrator, you can decorate with the [Authorize(roles = administrator)] attribute, which prevents any other roles from having access.
I think Json Web Token could help you with this. This article has more information about using Json Web Token for granular authorization of your web api.
OAuth 2.0 is inherently insecure, and solely relies upon SSL. It has no encryption, and most of the latest web api gurus are suggesting that it's dead. This again is relative to what you need the security for. If it's for a social SPA where the data isn't financial or medical, for example, and good enough SSL security is ok, then perhaps OpenID or OAuth2 is suitable.
A much better solution is to implement Identity 2.0 for the Web API authentication flow, and then utilize something like Hawk Protocol for HTTP MAC implementation. Check this out : https://github.com/webapibook/hawknet for an example.
For OAuth2 framework and a extensible solution, check out Thinktecture.IdentityServer3 on GitHub
For a lightweight .net 4.5 Web API Tokenization solution, check out Thinktecture.IdentityServer2 on GitHub.
Hope it helps.
I am making a small Rest based webservice. I have used OAuth and other authentication mechanism before but never implemented one by myself. Can some one give direction on how to do this in either NodeJs or even in any other framework.
Use this. It has a lot of examples inside that repo.
Besides of that OAuth I would use some api-key auth (maby generated in your online service). And of course limit the access - protect your servers from too large traffic from a single api-key.
I am a complete beginner, and have just started learning about web development. Now I am asking myself some questions regards REST API: Does it make sense to secure a REST API with authentication? If so, what are the common ways of doing this?
I am under the impression that REST API's are precisely there because we try to enable many different users to access them. Now I would like to write a small application which makes requests to a node.js server and gets some stuff back. All via REST API.
However, I do not want others to be able to make similar requests to that server though. How would I best secure this? Am I misunderstanding something big time here?
Not authenticating the REST APIs means you are allowing everybody to hit your REST endpoints. It is a better practise to authenticate REST APIs and allow only certain users to access the APIs. The link might help you to have a start.
It is super simple: when you provide a service, most likely, you only want to allow certain, authenticated users to call that service. In other words: it is possible to have rest services that work without any kind of authentication - but is rather the exception, not the rule.
The more common approach is that, say a hotel only allows people with a key to enter rooms. Same story for services ...
And there are many ways to do that, see here for a starting point.
Authentication is important for REST APIs because you only want certain users to access your data via GET api and/or be able to make modifications to your database via POST api.
JSON Web Tokens(JWT) is the most commonly used authentication framework. Here's a very basic tutorial about how to authenticate node js API with JWT.