I'm a bit confused about how to properly and securely authenticate users using my REST API and provide and option to authenticate using other OAuth 2.0 providers as well (e.g. Facebook, Google, etc.).
Scenario
Users interact with a web application which should consume my REST API. Users should be able to login and perform CRUD operations both using username/password and by using 3rd party services such as Facebook. I will be using SSL to encrypt the traffic to the website and the API.
Without taking the 3rd party login services in consideration and by studying the various questions already asked here on SO, I thought about handling user authentication as in the picture.
Technologies and current idea
The REST API is written using JS using NodeJS and Express. The WebApp provided through another NodeJS instance is mostly AngularJS with templates which consumes the REST API.
My current idea is to let the WebApp handle the login sequence and let Facebook save their token in my DB using the callback. But this solution smells too much of workaround!
Questions
Is the authentication sequence depicted in the image correct?
How is the above authentication sequence compared to the Resource Owner Password Credential flow in OAuth2.0? Is it worth using OAuth2.0 instead of it?
How can I integrate login through 3rd parties (i.e. Facebook)? Any suggestion or (better) example?
References
passport.js RESTful auth
Login with facebook and using oauth 2.0 for authentication of REST api calls
And many others here on SO :)
My 2 cents..
The process looks good to me.. I would re-issue the token on each sign in and also keep it inside a database so tokens can be revoked easily.
Use PassportJS. Its got support for OAuth flows and supports many 3rd party integrations like FB, Twitter, Github etc..and since its a nodejs middleware.. its integration will be very tight within your application..
Related
Due to the lack examples of oauth2 in node.js, I can't decide where to implement the oauth2 service. Also, I wanna know what is the meaning of provider in oauth2 and when to create a new one and when to use a pre-made one like google.
I tried to implement a provider in the server-side but I didn't know how to test it.
If there are any useful resources I would be happy to take them.
You should use Open Id Connect (Authorization Code Flow + PKCE) in your Angular app. You should validate OAuth 2.0 access tokens in your API. Both of these components should interact with a 3rd party Authorization Server. There is a learning curve and my tutorial + code sample may help you - feel free to post back if you get stuck: https://authguidance.com/2017/09/24/basicspa-overview/
oauth2 provider means wich service to use to auth, eg server-side will mean the user creates an account on your Server, google would mean users sign in with their google accoutns to your site.
I have a REST API, written with express directly. Nowhere in it do I use session, and authentification is for now done using JWT.
However, I dislike having to handle, save and secure user's credentials, that is when I heard about Azure Active Directory.
Adding passport to my app was easy enought, but that's when trouble started.
First, I had to search what strategy I needed, and all of them seems to require the server to maintain sessions/remember who is logged in, all the while using JWT internally. That seems contradictory, JWT is supposed to remove the need of maintaining session.
Finally, I found this MS example which use the Bearer strategy without session.
After setting it up (changing the config file for the right tenant, client ID, changing the routes for a test app more representative of my API), I tried to use them. The protection work well since I am indeed "Unauthorized". But how do I get a valid token to send?
The MSDN guide that use that quickstart don't mention it at all, just redirecting to the AAD library for Android or iOS, implicitely telling me to develop a test app in another language when I just want a crude tool to test if my test server work at all!
That is especially frustrating since I am pretty sure it is "just" a series of HTTP(S) request on the tenant, and the call to the api with the token attached, but I can't find anything to do just that.
/!\: I know asking for something as vague as "How can I do that" isn't a good question, and this question isn't one. What I am asking is why I couldn't find some tools like POSTMan that implement OAuth and allow to quickly test and debug a OAuth protected API. What are the reason that push MSDN to tell me to write a custom tool myself instead of providing a barebone one?
The code sample you mentioned in the post is using the Azure AD V2.0 endpoint. We can use OAuth 2.0 code grant and client credentials flows to acquire the token from this endpoint.
To compose the OAuth 2.0 request directly you can refer the links below:
v2.0 Protocols - OAuth 2.0 Authorization Code Flow
Azure Active Directory v2.0 and the OAuth 2.0 client credentials flow
In addition, the access tokens issued by the v2.0 endpoint can be consumed only by Microsoft Services. Your apps shouldn't need to perform any validation or inspection of access tokens for any of the currently supported scenarios. You can treat access tokens as completely opaque. They are just strings that your app can pass to Microsoft in HTTP requests(refer here).
If you want to protect the custom web API with Azure AD, you can use the Azure AD v1.0 endpoint.
For getting a valid token to send to your API, you'll need to do an auth request to login.microsoftonline.com and get an access token (in the JWT format). Then you can send this token to your api in the http body: "Bearer ey...".
If you want a full sample with a client app that hits that API sample you tried:
Dashboard w/ all the samples for Azure AD Converged Apps
Simple Windows Desktop App
Angular SPA
Node Web API
I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.
I have an application that uses passport with passport-google-oauth to allow Google Authentication with RESTful API endpoints.
I'm looking to create other applications (for example, a Chrome extension) that need to communicate with these API endpoints. How do I secure a REST API with Google authentication in passport? I read a lot of things on securing a REST API in general (i.e. if I had my own login), but how would I do it if my application relies on a third-party login? (ie. Google, Facebook, Twitter, etc.)
Thanks
Passport.js ONLY handles authentication -- it doesn't handle authorization at all.
What you'll want to do, if you want to authenticate a user to your webapp is use something like Google Oauth to let a user create an account on your webapp.
You'll then need to use a separate Passport.js strategy for handling developer authentication against your API service.
For instance, if you want a developer to authenticate against your API using Basic Auth, you could use this Passport strategy to allow this: https://github.com/jaredhanson/passport-http
Hopefully that makes sense!
i'm building a web Api with node.js and a client to consume the service with Ember.js. This client is considered to be "The Official" as the service is intended to be consumed also by third parties (like twitter, facebook, g+, does).
My concern is the security of the API.
The approach i'm trying to accomplish is to implement oauth 2.0 with the oauth2orize module to give access to every registered client the user authorises. The problem with this is the user would have to authorise the official client too, like it was a third party client. I want the authorization to be transparent to the users login into the official client.
Is there a way to avoid the authorization or give it automatically to the official client for every registered user?
Is this the best approach?. My other idea is to use basic (user:password:cookies) authentication for the official client and leave the authorization part only for third parties. In that case, how would i know if a request is coming from a third party or the official client to use the proper authorization schema?
thanks in advance.