I am trying to create an application with the following requirements.
Login page for entire application that authenticates against AD
(currently using passport-activedirectory)
This also needs to authenticate against a jira api for the user to create tickets through my application. Should this be done at
initial auth or once the route is hit to send the request to jira?
It's possible that other api's will need to be authenticated against.
I'm trying to figure out the best way/standard way to do this so the user will only have to authenticate through my web application once.
Any direction is appreciated.
Thanks
Related
I have a nestJS app that allows a user to interact with my MongoDB, mostly CRUD operations. However, this is hosted on Heroku which means that anyone can send requests and perform operations on my database.
What I would like to achieve is to have only users who have a valid token be able to use the API. The users would have to send their requests with a token v1/search/errors?token=INSERTTOKENHERE
However, all the docs I've read are getting a user to login to a frontend like you would login to Facebook or YouTube. I have a frontend but the users of the API will be applications and not people so I don't want them to have to interact with a frontend. Ideally, I can just generate a token for the application and then only apps with a token can interact.
I have searched far and wide and have not found anything like this but every public API I have used behaves like this. Any links to docs that explain how I can achieve this would be appreciated.
Thanks
Tokens are a way to identify unique and authenticated users. Login attempt is mandatory for creating a token. You need a Guard implemented to verify each user on API request. Login from a front end Application is not mandatory. You can login from postman sending the right body elements.
I've got a SPA application and an associated API from which it gets its data. (Aurelia and Nodejs)
I have recently worked out the Authentication on the SPA so that it uses MSAL to authenticate users against our company's AAD and is able to retrieve a token that the app can then use to access the MS Graph as well.
However, I also want my API to authenticate against the AAD. What I'd like is for the API to be able to accept the token from the SPA client.
While I am able to send the token from the client to the API (Authorization: 'Bearer'...) I'm not sure what to do with it on the server side to then verify with the identity provider that the token is valid.
For the most part, I don't want the API to have UI concerns (i.e. an authentication/login screen). It should simply reject any requests that do not carry the correct token.
I hope to eventually have both client and server apps being hosted as App Services on Azure, but for the time being they are hosted internally. I think there is a way to ensure the solution works regardless of where the apps are hosted.
Thanks for your help!
I am not sure I understand the relationship between the title and the body of the question: I will answer the body :)
In https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-javascript-msal-singlepageapp/ you can see an example of web API token validation in Node JS. The service side logic just needs to be adjusted to point to the Azure AD tenant you are using.
The above will work regardless of where the API is hosted, given that the parameters being validated are all about logical identifiers.
I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.
During the recent Microsoft Cloud roadshow in London, something that came out of one of the talks on App Service was using AAD B2C for authentication.
It is possible currently to add Azure AD as an authentication for an API App:
Calling this API app from a browser based web app with no authorization header results in a 302 redirect immediately followed by a 401 response.
It was mentioned at the cloud event that it would be possible to call an API app anonymously from a web app, and have the azure App service handle the redirection to the AAD login page, get the token on successful login and then pass the call on to the API app and return the data.
However, I am struggling to see how this can be achieved without any responsibility on the calling web app to handle the redirect. Normally you would handle a 401 response from an API by obtaining a bearer token via AAD on the client side and sending it through as the authorisation header with the api request.
I have been through numerous examples on the Azure site and others and all of them are handling the logon/obtaining the token in the client web app.
Is this even possible?
UPDATE I just realized (as pointed out by #Darrel-Miller that you don't really want to allow the user to put the credentials in.
The only thing that is still unclear to me, is where do you want to provide the credentials for AAD?, What is it exactly what you would like to accomplish.
Even more, why would you use AAD if there no user interaction at all.
If all that you want is a secure connection you can just use the standard application key for the web api without enabling AAD. And its as pretty straight forward to just add the MS_ApplicationKey to your header and you are good to go.
As you described in your comment you have a webclient that tries to do the requests and gets the 302, that is why my original answer wast that you would use ADAL. But now that I get deeper into what you want probably what you want to use is KurveJS :
https://github.com/MicrosoftDX/kurvejs
And it has the AAD app model v2 with Active Directoy B2C.
This makes it easy to add third party identity providers such as Facebook and signup/signin/profile edit experiences using AD B2C policies
You can read more about it here:
https://github.com/MicrosoftDX/kurvejs/blob/master/docs/B2C/intro.md
Do you mean this??
https://msdn.microsoft.com/en-us/magazine/dn463788.aspx
Just use ADAL nuget package to handle the call...
You can read this from the post:
As soon as the execution hits the call to AcquireToken, you’ll get the authentication dialog shown in Figure 8. ADAL takes care of contacting the right endpoint and rendering the authentication experience provided by the server in a pop-up dialog without requiring you to write any UI code.
I hope this works for you!
I'm in the process of building a Google Chrome extension, and have some questions about how to implement security into the application.
I need to access a couple of Google API's so am going to be using OAuth 2.0 for that. So basically from the extension I know which user is logged into the browser.
My extension then needs to get and post data to my (nodejs) API service. I want to ensure that the user requesting data is the same user that is logged into the browser. Is there any way of using the previous Google authentication process to also authenticate communications between the extension and my API? I dont really want the user to have to log in again, to access my API.
I'm sure I'm missing something simple, and I've not been able to find anything that fits this scenario
Follow the OpenID Connect auth flow and you will get an access_token and an id_token. The acess_token you will use to use to make authenticated requests to Google APIs as usual. The id_token will be used as authentication with requests to your server.
When the requests hit your server you will need to validate the token and you can then use the contents of the id_token to identify the user.
User wouldn't have to login on auth process provided if user is already logged in and you are using a web application flow (not chrome.identity APIs) but user would see the consent screen atleast the first time. However you can skip the account selector screen if you already know the email address by providing &login_hint= parameter.