IS there any way to validate LTPA token previously generated from IBM Tivoli federated Websphere Application Server in my nodejs application.
I have checked "ldapjs", but I could not find something to validate LTPA token.
I have written a small library for this purpose: https://www.npmjs.com/package/ltpa
Once you've extracted your server key you can use the library to validate, and generate LtpaTokens.
There is an Java API related with WSLogin - which allows to validate LTPA. (Technically a re-login here)
But I dont think you can use this with Nodejs.
But my preferred way is to use the BASIC authentication using the URL post from your app.
This requires a provider (Websphere) to expose a URL for you.
Related
Is there any way to connect DocuSign with api keys only? I am using docusign-esign sdk. I am creating envelope at backend and send email to user to sign that.
Currently, I use to connect it with header X-DocuSign-Authentication and it works perfectly in dev env.
How can I connect that in Production env?
You are using legacy auth which is not as secure as using OAuth.
We highly recommend that you don't use legacy auth, and in fact we would very soon require it and not allow you to create an integration using legacy authentication (X-DocuSign-Authentication header).
You can use JWT such that the user doesn't need to authenticate each time you use your app. You would only need one time consent and you'll never have to login again.
Please don't use X-DocuSign-Authentication to ensure your app is as secure as possible!
I have a JWT retrieved using a usernamemixed endpoint in ADFS 3.0 and now I need to validate this token from a node.js application. How do I achieve this? I know how to validate this token from a WebAPI. I need to do pretty much the same thing in Node.js application. Can I rely just on validating signature of the token(Token Signing Certificate) in node.js, can it be spoofed?
Token validation includes signature checks, but that's not all; you need to check for validation, audience, issuer, etc etc (see http://www.cloudidentity.com/blog/2014/03/03/principles-of-token-validation/).
This is normally achieved by using a validation library that reads the issuer metadata and uses it to validate incoming tokens. If you'd be using ADFS "4.0" you could simply take the Azure AD web API node sample in https://github.com/Azure-Samples/active-directory-node-webapi and point it to ADFS instead. ADFS "3.0" doesn't expose metadata using the openid connect discovery spec, used by that sample, hence the code won't work as-is. However it does provide the same info in its ws-federation metadata doc. If you implement the same scenario using the ASP.NET middleware and capture the network trace, you'll see how you can implement the same check yourself. If you can upgrade your ADFS instance to "4.0", that would be vastly preferable - way less custom code necessary.
I am building a secure ReST API on a nodeJS server so that my Android application can access the data on my site. Based on reading some other posts, I've come to understand that I should use an access token. So my idea is to do the following:
1) When the user logs in on the Android app, the app sends a request to /api/login on my site, providing the username and password (this of course needs to happen over SSL to guard against eavesdropping).
2) My server validates that the username + password match, and, if so, responds with an access token.
3) The app uses this access token to make all subsequent requests to my API.
My question is should I store the access token in the database on my server? Specifically, should I store the fact that the access token is associated with that particular user? Most tutorials I looked at did not do this, but if I don't, then what is to stop a user with this access token modifying or viewing the data of another user? Don't I need to pair an access token with a user in my database?
try using this library, i did the same type of project and this life saver was my solution.
If you need to build a secure API the things are little more complicated. You need to sign the access token with a private keystore.
Would it be a option to use a authentication service like Auth0? They are generating a JWT token for you and you only need to validate this token. The API is completely stateless. You can find a lib for almost any programming language on their website.
What you want to do is exactly HTTP Sessions do.
So, I think you can just use HTTP Session functionality It's already implemented in WAS frameworks like Django, Spring etc. If NodeJS provide session functionality, Just use session functionality in the framework. If not, look up the HTTP Session library. Maybe you can find many library that treat session implementation.
I need to create API application which will be accessed from different platforms (WEB, WPF, Mobile). The API will be hosted on Azure and client will be different websites and desktop/mobile applications. API need to know username to return user-specific information
I have some problems with authentication right now. I used idea from this thread how to do forms authentication to API, but there is a problem there, I have to authenticate each request to API, because the cookie which I created in previous request is not stored to next request.
I am thinking about creating some custom solution there: when login request to API sent with username/password return some kind of token which i will store on client and will pass with each request. In that case I can override AuthorizeAttribute and validate the token.
but I don't believe then I should create custom solution and prefer to find a way to use something Microsoft did for me.
What will be the best way to authenticate to WEB API from different platforms?
In case if I will return token, what is the best way to create it, encode it, expire it...?
There is nothing available out of box currently, to the best of my knowledge. With OWIN, there are things coming up. You can take a look at Katana source code (Microsoft.Owin.Security). For JSON Web Token, Microsoft has the JSON web token handler. More info here. The JSON Web Token Handler can both create and validate JWT. You can use the same library to issue and validate JWT respectively from the token issuer and your web API. Creating all these infrastructure is not easy. Thinktecture identity server and identity model can make these tasks easier for you. Both are open source and you can take a look at the source code in github. Check out this and this. Another good resource is Dominick's blog.
I am creating an API using nodejs and express. I need to provide local username/password authentication. I may need to provide additional authentication in the future so I am using passportjs as it seems the most flexible/plug-able.
The API will be used by a web application as well as a mobile application. Instead of having to pass the username/password with every single api request I was thinking I could let the user login and provide the client with a token. The client can store the token and provide that on each api request.
I have looked at using JWT tokens ie, http://coderead.wordpress.com/2012/08/16/securing-node-js-restful-services-with-jwt-tokens/. However I am not really sure how to create a secure token with JWT. I have read that using the username in a token is a bad idea. Has anyone use JWT in node to create tokens. Got an example?
Any other modules for node that I can take a look at for token generation.
node-uuid is the module you are looking for. I use it to authenticate the users and any task that requires a random and unique identifier. Encoding the credentials in the token is generally a bad idea.
It was already built into nodes crypto pacakge.
http://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback