I am a first-timer in implementing user authentication on a web application. Below are some details for the app:
Its a hyperledger composer angular2 application generated using yo
hyperledger-composer command
Existing set of username and password available
User identities are successfully issued in composer.
Should I use passport-saml strategy as suggested in https://github.com/bergie/passport-saml? Or is there a better option considering Yo generates angular2 app (many angular 1.x examples available for other strategies like passport-local and passport-http)?
What are the details I will need from the existing database if passport-saml is the best option?
I checked Using passport-http on Hyperledger composer REST API, but it doesn't seem to answer (here the user wants to use userID and userSecret).
See here -> https://hyperledger.github.io/composer//integrating/enabling-rest-authentication.html
You can use the COMPOSER_PROVIDERS environment variable - to specify - the Passport strategies that the REST server should use to authenticate clients of the REST API. You choose, the strategy best suited to you - I can't advise if passport-saml is suitable for you, that's your decision :-) . The parameters (example shown for providers.json) are quite similar to the example shown in the docs. Some of the information from the Github repo you posted already has some sample information in the config parameters section.
Related
--First time poster, mods please let me know if the question is inappropriate/incorrect--
Situation:
I'm working on an app with friends. We have a dedicated frontend layer and a dedicated nodejs server running MongoDB. I am trying to integrate firebase into our server layer so we can login users and handle minting/verifying/refreshing tokens using Firebase Auth.
Problem:
I'm completely lost as to how to use Firebase Auth for this purpose. I've looked through the docs extensively, I first went down the "Getting Started with Firebase on an App", until I realized (I think) that guide was specifically for web applications without a dedicated backend.
Then I looked more into Firebase Auth Admin, which looked more like what I was looking for. I tried messing with custom token creation and other authentication related matters but I fail to be able to log in.
I reached out to friends for help, they recommended getting local login/googleauth working End-to-end using firebase before trying to secure our tokens moreso than they already are.
I'm very lost and not sure if I'm misunderstanding something fundamental or just not applying the right things. I apologize if this is unclear, I'm just trying to allow email/password login using firebase auth to securely authenticate with my MongoDB data (if that's even necessary)
Any guidance would be appreciated!
You're absolutely right with your approach and its possible to use Firebase Auth for just login/signup and rest of all on mongoDB.
There are 2 ways u can implement the Firebase Auth-
Using the sdk provided by Firebase
Using the Admin Auth API
Which ever way you selected, Later on save your UID on your custom Backend (Which is backed by MongoDB)
Just create your API's to verify user identity.
If you're using NodeJs you can follow this tutorial.
I am trying to build a portfolio website using react where I can showcase my projects and skills . I also want a seperate blog section in my website which lists my blog posts. I am aquatinted with node js and rest API so I can create a crud rest API for blog posts locally and use it to get all the blog posts .
How to deploy the blogs rest API online and make it secure such way that only I can access existing and submit new blog posts from my portfolio website after deployment ?
This may be too generalized of a question to give you exactly what you're looking for, but we can hit on some broad strokes to give you some idea.
Hosting. If you're using Heroku or similar, then they have their own instructions and guides on how to do deploy to their system. If you're self-hosting or are required to setup the host yourself, then you basically just need something that will load balance and auto-restart the node application so that it's always running. Commonly, you can use Docker or PM2 (or a combination of both) to do this. You can then put this behind a web server like Nginx or Apache to fine-tune your configuration.
Authentication. If the API is exposed to the public then you need a method of authentication. Commonly, you can use a system that leverages JWTs (login, sign a jwt with the user's ID, then have the client provide the jwt for each protected API request via authentication header or cookie, validate that the token hasn't expired and the user ID is correct, then respond back). You can use a middleware like Passport or write your own (imo Passport may be overkill for smaller projects).
I am using apigee oauth2 service to run the Hyperledger Composer REST api in multliuser mode. https://hyperledger.github.io/composer/latest/integrating/enabling-multiuser.html
In the above link, I gone thru the github oauth authentication steps (https://hyperledger.github.io/composer/latest/integrating/enabling-rest-authentication.html), but wanted to use apigee.
How can I construct COMPOSER_PROVIDERS environment variable object literal specific to apigee? What kind of passportjs module need to use?
the supported authentication strategies for Composer REST server can be found at http://www.passportjs.org/packages/ (search OAUTH2). I did not see apigee there (albeit it uses Node.js passport and passport-oauth2 modules to implement its OAuth 2.0 authorization flow).
Furthermore, we do have an OAUTH2 tutorial - using Google OAUTH2.0 strategy that you can check out -> https://hyperledger.github.io/composer/latest/tutorials/google_oauth2_rest
I looking to authenticate users using OpenID Connect, Node.js, Passport.js against Azure AD. Could you please point me to any resources/docs and/or sample code?
I came across passport-openidconnect. Is this still the active module? are you aware of any other module that I could use for this? If so if you could point me to some sample code that would be great!
There is a passport module specifically for Azure AD called passport-azure-ad
The steps to do set this up are:
Register your application (in Azure AD)
Install all the required npm packages.
Setup your app to use the passport-azure-ad.
3.a Setup the passport strategy
3.b Add methods to keep track of logged in users
3.c Initialize passport while loading the express engine
3.d Add the routes that will handle login/logoff
Use passport to issue sign-in and sign-out requests to Azure AD
Check out the official docs (which include a sample) for code for each of these steps: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-openidconnect-nodejs/
The answer to your question is positive. There are several node.js modules you can use to implement authentication via AAD.
You can use the ADAL for node.js library, which makes it easy for node.js applications to authenticate to AAD in order to access AAD protected web resources. Please refer to https://github.com/AzureAD/azure-activedirectory-library-for-nodejs for details and code samples.
You can use third-party module such as passport-azure-ad, please refer to https://github.com/Azure-Samples/active-directory-node-webapp-openidconnect for the sample which implement the requirement leveraging express and passport-azure-ad.
Any further concern, please feel free to let me know.
I have developed a REST API with sailsjs and I'd like to add OAuth2 authorization to secure this API. I'm quite new to OAuth and I'm not sure where to start.
I found several modules that could be used for this purposes, for instance oauth2orize and an example of its usage https://github.com/aaron524/sails-oauth2-provider-example but I do not fully understand how this is working internally.
Basically, I'll have several clients consuming the API I'm developing:
- clients that I trust and that I'd like to use with the "Resource Owner Credential Authorization"
- clients that I do not trust and that will connect using the Authorization Code flow
I was thinking of adding a trusted property to the Client model within the sails application and then when a user will log onto an application:
- he will have a direct access to its resources (case of the trusted application)
- he will be requested to approve or deny the application from accessing his resources (case of the untrusted application)
Is this a good approach ? Any pointers on how to select the corresponding strategy based on the client trusted level ?
UPDATE
I've setup the following project on GitHub, using several tutorial and projects I found.
https://github.com/lucj/sails-oauth2-api
This project is not functional yet.
I'm still not clear on how to select the correct grant type (authorization code vs resource owner's password) when the user consume the API through an application. How to integrate this check in the policies ?
I do not manage to create the link between the OAuth endPoint (/oauth/authorize, /oauth/token) and the call to oauth2orize. Any idea ?
I finally struggled with Oauth2orize, sails and passport and managed to integrate OAuth2 security of my API in the project: https://github.com/lucj/sails-oauth2-api