What settings/files do I need to alter in the client and server in order to use username/password auth rather than IP based auth?
Related
I have a question about the security of getting access key in auth server:
When the authorization server redirect to the client server with the authorization code in the query param of the url and then after the redirection the client will make a post to the authorization server with a secret key to get the access key. What if someone get the url with query param sent by auth server and copy pasted it to the browser, will the auth server give the access key?
I mean they have same route and it means it will go through the post api and use the secret key of that client to get the access key. How to prevent this scenario?
There are a couple of basic protections here that are sufficient for most use cases:
The connection between the client server and authorization server should use SSL so that the traffic cannot be intercepted
The infrastructure should be locked down so that attempts to intercept server to server traffic are not allowed
FINANCIAL GRADE
It is also possible to use stronger secrets between the client server and authorization server, such as an X509 client certificate. This ensures that if someone manages to intercept an HTTPS request they still cannot use the secret, because they do not have the private key.
OAuth is a framework so there are different ways in which it can be used. In some industry sectors, such as banking, it is required to implement higher strength profiles such as those specified in Financial-grade Client Requirements, which require this type of stronger secret.
PEOPLE RISKS
A rogue employee could potentially steal either type of secret. Bear in mind also though that the Authorization Code Flow requires valid user credentials in addition to the client secret.
My problem is that I want to configure Openam so that it returns a JWT-token when I use The simplest user name / password authentication. By default, it returns tokenId. But in my case, I need only JWT-token. I am using this endpoint for authentication: http://openam-01.domain.com:8080/openam/json/authenticate.
Thx!
OpenAM only issues a JWT when you are using 'stateless' / client based SSO session. If you need a standardised JWT, then you need to configure OpenAM as OIDC provider.
You can configure OpenAM Security Token Service (STS) to exchange OpenAM authentication token to JWT.
In my case, I have a React app (using Next) that need to use an API provided by a node / express / mysql app.
My idea was to have an endpoint (/login) to provide a JWT Token based on user / password (that check the user in the database and create token based on the id of the user) and then use the JWT token to use the API endpoints (those token are stored in the mysql as well). But in order to do that, and because there is no form, I would have to store the credentials (user and password) in the client side app and therefore would be readable by anyone. Am I doing things right and if not, what are the other options to securely make the client side APP use the API endpoints ?
The React and the Node / Express are on the same domain and CORS is set by default by express from what I read. Also, HTTPS is activated.
generate web token
do encrypt using becrypt npm
store it in DB and cookie in the client side in encrypted form while the first-time user is login
create on middleware which directly accesses your cookie and check-in your database and make your user login for a long time if your cookie token match with database token. like below example
sample project : https://github.com/karenaprakash/books_review.git
refer to this full application
visit this project. I hope this will help you.
Basically the JWTs allow you to avoid using sessions completely & to not store them in DB, a JWT is like a passport that you give to a user, that states his (ID, maybe username for example), role & any other data (that is insensitive if someone sees), so you should never store a password in a JWT
Security of the JWT basically lies in the fact of that no other entity can imitate it (if you use a strong key for signature) & although possible to encrypt your JWT, you don't have to encrypt it as long as you don't put sensitive data in it. I think you should try to have a look on this website to see how the signature protects the authenticity of the JWT
So you should make the /login API, this will check your user credentials & then give him the JWT (that states he is user 'joe' for example with the role 'admin') & then you check & verify this JWT in your filters to authenticate & authorise the user for the actions in your webapp
To get the JWT, a user must provide his credentials to you in a HTTPS connection, which will make the connection itself encrypted, thus protecting his credentials from eavesdropping or man-in-the-middle attacks
I am currently looking to create a private web app with separate front-end and back-end on AWS using nodejs without signup and 3rd part logins, so generated user and passwords. I have looked over a few post, seems Oauth2 only provide more security when I am allowing 3rd party login or services, because it is a authorization framework. so I have a few questions:
In my case, I don't think authenticate oauth2 token is anymore secure than authenticate hash password. So I don't need oauth2 am I correct ?
Other than SSL on transfer and then use session-token after user login, what other ways I can make the backend API more secure ?
Please provide links or examples(best with nodejs )
Thanks,
I need my node server to authenticate a client (username / password provided in HTTPS request) and provide the user's role for authorization.
I'm trying to find out how to retrieve the Kerberos token in node (using node-krb5 or passport-kerberos modules) in case of successful authentication.
My setup is pretty basic:
Client app provides username/password to node server app
Node authenticates the user with the provided credentials against Kerberos
Kerberos provides a Auth token that node app will send to client
Client sends the token with each request to node to avoid state management in node.
Node app needs to know the user's role that's inside the ticket.
For steps #3 & #5, I'm looking for help in retrieving the kerberos token and reading its contents to extract the role information.
Any help is greatly appreciated.
I checked an earlier thread but that wasn't answered:
Kerberos Authorization w/ Node.js
Thanks.
Kerberos is an authentication protocol. Most implementations simply don't have any role data inside the kerberos ticket. Microsoft is the one exception I know of, they encode some group data inside an extension to the kerberos ticket.
However, unless you have a keytab on the server ( SPN in MS speak ) you will never be able to read the contents of a ticket. I don't know of any standard kerberos API's that provide access to this data. ( They may exist, I just don't know of them ).
The typical way that you would get role data for a user is to use the kerberos identity as a key to search an authorization service. The most commonly used one is LDAP. A typical application would make an LDAP query to get the users attributes and then use those to make role decisions. ( Or look to see if the user is a member in an specific group ).
Lastly, it's hard to tell from your description, but it really sounds like you not actually using kerberos in the way that it was intended. An application that is using kerberos as designed should never need the username/password combo.