I'm attempting to create a simple Hybrid Application with native API using Cordova.
I think to use a simple REST API remote to retrieve user information.
First time users have to register into server to gain account, and then the app could manage all user's api via AJAX calls.
Now, I'll appreciate your opinions and suggestions about:
I thought use LARAVELL to manage routing and authentication: there's some contraindication to this approach?
(and principal question): I've no advanced notions about security... so someone can suggest how to manage security data and remote login?
For example: store user password and username to localStorage, and send username + token to remote DB.
My problem is how implement security when make remote REST call, that is how pass data for remote connection.
I hope my questions are understandable...
Thanks
Found complete tutorial to my answer, via JWT and access tokens.
The link is:
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
Very very powerful!
Hope help someone,
Related
I'm starting up a new project using Couch DB and a react native front end. I was wondering what is the recommended way of doing user authentication. weather it is setting up users in Couch DB or going through, for example, a node server to process user credentials and get a token for them and whatnot. or if there are any other ideas, I'd greatly appreciate that.
CouchDB authentication system is a bit limited:
You can't revoke sessions
It somehow hard to integrate third party authentication (facebook, google+)
Password recovery/reset is not available by default
Since you're building a client application, you can't implement password recovery on the client side. You'll need a backend service that handle this.
It all depends on your need. You can easily start with CouchDB's auth system and add a auth service on top of CouchDB later.
(Tom Vaga asked a similar question here but Luke's response didn't quite address what I'd hoped to accomplish... I'd comment there but don't have the points yet :-) Thanks! )
I've got a Slim server working well to register and authenticate users for our API, using JWT, allowing only 'authenticated' users to access certain api endpoints.
I'm now trying to setup a SocketCluster for various realtime messaging parts of the app, and I would like to restrict subscriptions to only authenticated users. I may be missing a part of the concept, but is it not possible to use the token-cookie set successfully by Slim to also authenticate to SocketCluster? (ideally using the built-in authentication process, and without having to call-back to the slim-api?) They're on different servers as sub-domains... Would I have to insert the same secret into the SocketCluster configuration somewhere?
Thank you!
I am working with Google sheets and node.js and I am able to authorize a user locally and get auth data using cmd using this tutorial https://developers.google.com/sheets/api/quickstart/nodejs but cant authorize it on a remote server like Heroku so I have found an example https://codelabs.developers.google.com/codelabs/sheets-api/#4 but can't really grasp how to implement it in this example https://developers.google.com/sheets/api/quickstart/nodejs.
Thanks in Advance!!
Depending on your requirements and architecture, it may make sense to write to the spreadsheet using a service account. Here is my code for doing that from NodeJS.
Advantages of service accounts:
You don't have to do the OAuth dance (less code, fewer steps for the user).
Your code can write to the spreadsheet even when no user has granted OAuth access.
Disadvantage:
It's hard to enforce different access for different users, as all writes happen with whatever access you have granted to the service account.
I want to implement login and logout functionality and retrive user details like username and user role using Azure Active Directory.
We are using Docker to deploy Spring cloud microservices project on Azure cloud. Could you please suggest me steps to get user details?
Do we need to secure all microservices edge points using Spring cloud OAuth2 security using JWT or just we can secure one web microservice ? Do I need any permission ,specific user roles to implement this?
You can find Azure's documentation about OAuth 2.0 support for AAD here
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
I've got an application that's using OAuth 2.0 with a different Authentication Server, and I'm about to see if I can use AAD as the Authentication Server. But, whatever ends up being your Auth Server, the rest of the application should be the same...
The Auth Server handles the log in (typically as a Single-Sign On pattern)
The Auth Server will return a Json Web Token (at some point, depending on the Grant Type being used to retrieve it)
The JWT should be included in each subsequent request to ensure the caller has authorization
From a Spring perspective, you'll need at least a SSO Client (denoted by the #EnableOAuthSSO annotation). If everything in hosted by that process, you'll need that JWT to call subsequent methods. If you have processes hosted in other processes, it's likely you'll want them secured as well. Using the #EnableResourceServer annotation will configure Spring Security to look for the JWT, just not attempt to retrieve one if the request does not have it.
Unless the endpoint is meant to be publicly accessible, you will want to secure it. Of course, I really don't know the context of your application, so this statement is purely an uninformed opinion based on zero knowledge of what you're trying to do with your application. Take it for what it's worth.
EDIT
This has become a little more complex than I originally thought. I have been able to write some code to dynamically retrieve the public key from Microsoft in order to validate the returned JWT.
But, the main issue is the fact the Azure AD supports Open Id Connect when acting as an Identity/Authentication Server. And, at the moment, spring-security-oauth2 doesn't support Open Id Connect.
I was able to make some small changes to the spring code, but I did ask the question to the Spring group and they are actively working on adding support for Open Id Connect. They hope to have a release two months (ish?).
For the short term, the oauth2 support doesn't support Open Id Connect. Given this is the protocol used by AAD, the current version of oauth2 won't work with AAD. That said, I will be happy to wait for the official support which shouldn't be too long.
I'm working on the web app which will be hosted on the client's server.
There are various restrictions/security measures in place and I'm concerned that these can be "hacked" because the client will have a direct access to the ASP.Net user database through the SSMS.
I can think of few ways to stop the user from doing this, but I'm interested to find out whether there are any specific standards that I should follow?
If the client has direct administrative access to the database, there's not much you can do. If these are the client's login details - why is this then a problem?