I'm currently attempting to integrate OpenID with a Node.js server by using this library. Logging in is pretty straightforward, but I'm really struggling to figure out how to detect when the user signs out from their OpenID provider.
For example, I'm currently using Google as a provider. If the user signs in to my application by using Google and then signs out from Google on a different site, I need to have a way to figure this out so that I can sign them out of my application as well.
My first approach was simply to hold on to the assertion and then verify it periodically to see if it had expired. This doesn't work with OpenID since the openid.response_nonce should be unique to each request. I can't get a new assertion since that would require another redirect to Google, so I can't do it behind the scenes using ajax. How is this normally done using OpenID? Can it be done at all? Thanks.
There is no way for you to know when the user signs out; there is no such tie between a relying party (client) and provider (server) in OpenID.
The best you can do is to keep track of when assertions expire and/or reauthenticate.
Related
For example if i have build a mobile application and using the nodejs REST api for accessing the backend.
I want to restrict the access of the application with same login credentials on a maximum of two devices.
For example me and my friend can have have access to the application with same login credentials but a third friend must not be allowed to have access to the account with same login credentials.
Can it be implemented with some kind of token. Can anyone please help me in understanding the concept to implement this.
Posting as an answer, since it does appear to be a solution.
It can be implemented with a token, but I think it's important here to maintain sessions. Also, you need to keep track of who is connected to what account, and from what device. You'll definitely need unique identifiers, and to know how many logins the account is already utilizing. If a user logs out, remove that device from the list until they login again. Read up on session management. I have had good success using PassportJS for stuff like this :)
For the last few months i've been working on a Rest API for a web app for the company I work for. The endpoints supply data such as transaction history, user data, and data for support tickets. However, I keep running into one issue that always seems to set me back to some extent.
The issue I seem to keep running into is how do I handle user authentication for the Rest API securely? All data is going to be sent over a SSL connection, but there's a part of me that's paranoid about potential security problems that could arise. As it currently stands when a client attempts to login the client must provide a username or email address, and a password to a login endpoint (E.G "/api/login"). Along with with this information, a browser fingerprint must be supplied through header of the request that's sending the login credentials. The API then validates whether or not the specified user exists, checks whether or not the password supplied is correct, and stores the fingerprint in a database model. To access any other endpoints in the API a valid token from logging in, and a valid browser fingerprint are required.
I've been using browser fingerprints as a means to prevent token-hijacking, and as a way make sure that the same device used to login is being used to make the requests. However, I have noticed a scenario where this practice backfires on me. The client-side library i'm using to generate browser fingerprints isn't always accurate. Sometimes the library spits out a different fingerprint entirely. Which causes some client requests to fail as the different fingerprint isn't recognized by the API as being valid. I would like to keep track of what devices are used to make requests to the API. Is there a more consistent way of doing so, while still protecting tokens from being hijacked?
When thinking of the previous question, there is another one that also comes to mind. How do I store auth tokens on client-side securely, or in a way that makes it difficult for someone to obtain the tokens through malicious means such as a xss-attack? I understand setting a strict Content-Security Policy on browser based clients can be effective in defending against xss-attacks. However, I still get paranoid about storing tokens as cookies or in local storage.
I understand oauth2 is usually a good solution to user authentication, and I have considered using it before to deal with this problem. Although, i'm writing the API using Flask, and i'm also using JSON Web tokens. As it currently stands, Flask's implementation of oauth2 has no way to use JWTs as access tokens when using oauth for authentication.
This is my first large-scale project where I have had to deal with this issue and i am not sure what to do. Any help, advice, or critiques are appreciated. I'm in need of the help right now.
Put an API Gateway in front of your API , your API Gateway is publicly ( i.e in the DMZ ) exposed while the actual API are internal.
You can look into Kong..
I'm trying to build a NodeJS subsystem that is automatically syncing content with Box. I have existing "passport-box" authentication that is requiring user logging in from browser, but this is not an option for me. I need pure server-side authentication.
So, I've came across JWT as a possible way to do this, but I don't have a clue how to start, as I'm new to tokens approach. Possibly, Auth0 can be in hand - but, again, I don't know how exactly to use it.
Can someone point out which libraries should I use and where to connect to in order to construct a proper "Authentication: Bearer ..." header.
Currently I'm using passport-box and box-sdk nodejs modules, but seems like I'll need to change something in my approach, to get tokens without user interaction.
Thanks!
This rule would create a Box access_token for you, provided you re-establish a relationship between your Box account and your Auth0 one:
https://github.com/auth0/rules/blob/master/rules/creates-box-access-token.md
In essence:
Box knows about Auth0 and trusts it to request access_tokens
After a user logs in using any supported way in Auth0, it will run the above rule, that will issue a Box token
The Box access_token is included in the user profile.
Your app uses the token to access call Box API.
I'm creating a REST API server with Node.js and Express + MongoDB.
This API will have different mobile clients (iOS, Android) and possibly a web app later on.
I need users to login in order to perform some API requests. There are no 3rd party apps I want to connect with (no Facebook, Google etc). I also don't want to force the users to visit a webpage or anything like that in order for them to login.
From what I've seen on my many searches on SO, the best approach would be to let users login with full credentials once, send them a token in return, and use that token to verify future requests until it expires.
However, I'm not sure how to implement this.
I'm very confused with all of the different strategies. Is this done with basic authentication over HTTPS, with OAuth, OAuth 2.0, ... ? I just don't know what to use.
Also, I really don't want to reinvent the wheel here, not because I'm lazy, but mainly because of security concerns. Is there a library I could use to implement this? I've heard of Passport, but I couldn't understand if this is doable or not. This sounds like such a generic thing I'm sure there's a simple solution out there.
Thanks!
Now you can use Passport.js with JWT (JSON Web Tokens) with Passport-JWT. It's pretty easy to use.
Once a user is logged in, you send a token to the user. The token contains data about the user, like an id (encoded, of course). On the subsequent requests (at least where authentication is required) you make sure, that the client sends the token. On the server, you can see who sent the request (and e.g. check the user's authorization), just by looking at the token. For more info on how JWT work check this out.
There are different ways to send the token. Just have a look at the docs and it'll be clear. If not, this also helped me.
I feel you need to setup a Token Based Authentication process in your server, so you can make requests from different types of clients (Android, iOS, Web, etc.). Unfortunately, Passport documentation (and Passport-based tutorials) seems to be aimed for "web applications" only, so I do not think you should be using it for those purposes.
I did something similar following this great tutorial: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543
The client part in this tutorial is based on AngularJS, but can easily apply the same principles in a mobile client (it is just a matter of making HTTP requests including a token retrieved when you post in "/signin" or "/authenticate").
Good luck!
There is an example of RESTful service with oauth2 authentication: https://github.com/vedi/restifizer-example. I hope it will help.
I know that web apps don't normally tie their sessions to the sessions of their login providers, but I have a requirement in which I need to detect when the user signs out of their login provider so that I can sign them out from our application as well.
I currently have passport set up on my Node.js server. The login was very easy to implement and it's been working fine, but I haven't been able to find documentation on polling the current status of the user's session on the provider's end. Does passport provide a means to check this status? Calling the authenticate route again always does a redirect so I'm looking for a simple and ajax-friendly way to get a yes or no answer to the question: 'Does the user still have a valid session at their login provider's end? Thanks
This is going to depend on the provider and the protocols they choose to implement. What provider are you using? What protocol is used to authenticate?
Currently, SAML is the only widely-used standard which defines facilities for federated session management. Even in that case, I'm not sure how common those profiles are, since it is typically used for authentication only.
As far as Passport is concerned, that module is focused solely on authentication. Session management and logout are separate (but related) concerns. I'd like to develop other modules that work in conjunction with Passport; however, lack of deployed standards make it difficult.