I am planing to write an API for a mobile app. To lower the barrier for first time users i do not want a login screen on the first start. So what I want is, if the app notices it is it's first start it should register itself:
/register
A standard User should be generated like Name: GuestXX43, Authtoken XX43-58asda5-54asd, some additional Data
The user is now able to make other endpoint request due to its auth token.
But how do I check for the correct auth token on every Request?
/user [Update]
the user is also able to update his username and password to reloggin on another Device.
Which auth method will suite these thoughts, is there any doubt using this kind of auth flow?
Thanks guys
Are you using Google Cloud Endpoints? If the user credentials is set in some header, you can retrieve it in the backend via injecting HttpServletRequest in Java or check HTTP_YOUR_HEADER_NAME environment variables in Python.
Also you can try custom authenticator if you uses Java; this post can be relevant: Google Cloud Endpoints and user's authentication.
Related
I have a Java+Spring application.
Assuming the browser settings are all correct and site is allowed, is it possible to retrieve logged in AD user credentials from an http request? Which fields are they? AUTH_USER? Are they coming with every request (GET, POST, PUT, DELETE etc).
I've successfully integrated AD authentication, with the user manually typing in their AD user and password. Now i am wondering, can login be done more automatically, retrieving credential from a browser's request?
I don't think this is possible. If you want an elegant solution instead of checking each user/password in your filter for example, have an eye to JWT. You could encapsulate your AD user in it and send the token to the client, itself sending back to you in a header.
The counterpart is that you have to integrate all the jwt part, as long as JWT is not native in Spring. I'm currently working on a personal project to integrate jwt and that's not so easy for someone starting with Spring Security.
This link seems ok for Spring
I have access to a web application which has a link to another application I'm developing. When that link is clicked the URL is filled with two parameters: user, and token.
This token is generated per every user login on that very same web application.
I want to use that token and user to authenticate someone in the application I'm developing!
I have access to the source app's database in order to query against the token and username.
However I need help finding a way to implement this logic with Spring-Boot. Do I need a custom filter / authentication provider? How to wire these things up with Spring?
I want to stick to the framework rather than developing my own solution for this.
TL;DR: I need help securing a RESTful controller with a token I obtain through GET
Thank you!
Yes, you could write filter to authenticate token.
If you want make architecture a bit better I would recommend creating gateway (i.e. Zuul) and invoke second application through gateway. Implement gateway to authenticate requests. In my architecture I create separate Auth component to generate token and validate token. Gateway could call Auth to validate token.
I have a web application that provides several rest services (Jersey). Most of the endpoints are secured by BASIC authentification. Further more I use SSL for transport and demand POSTs for every call.
The clients/consumers are android apps.
So far so good. The only service that seems to be vulnerable is the registration. It's the 'first' service to call and a user does not exist yet. So I cannot use OAuth, etc. I also have to keep the endpoint easy accessible to enable the user to regster.
How do I secure this service, so it's not spammed by a bot flooding my database?
How about these?
Use a registration link with a token in the request parameter. Ensure that the tokens expire after sometime. You could create a token endpoint url as well for a client to get a valid token.
Use a custom header or a dynamic custom header in your request. Additionally, you could check for a dynamic custom header to validate the request's authenticity.
Use registration confirmation workflows, such as an email / text verification as soon the registration is done. Run a process every day to delete any user accounts, which are not validated in say x days.
I do not think you can really secure the registration URL in a HTTP way. IMHO, anyone who has the registration url can be a right guy trying to register. So if you ask me, option 3 is better than others.
I am making an Android app which will fetch data from my API.
First thing my app will do is to let users signin using their credentials.
My question is does my API need to handle sessions? or should I authenticate the user for every request?
Will the native android app hold the user credentials on the device and send them along for every request after signing in?
I am using Retrofit. How would I send user credentials after they have signed in?
This will be a good time to take a deep dive and read into OAuth. Your use case seems to match perfectly. There are 2 main steps you will need: Authentication and Authorization. I have briefly explained them here: Authentication of a resource in Dropwizard. You can ignore the DropWizard part, the REST concept remains the same. The short version of the description could be like this: A user installs your app on the phone. They authenticate ONCE using their username and password (POST request to your REST over SSL). Your service authenticates the user and return back with a "refresh_token" and an "access_token" which the app saves on its side while you map and save the access_token/refresh_token on service side with the user. With every subsequent request your app is going ot send the "access_token" as a part of "Authentication" header which you, on the serverside, will parse and check if the access_token is still alive (assuming that access_token expires) and if it is alive, then complete the authorization/authentication process. If by any chance, the access token has expired, 401 will be returned back to your app. The app will have to then use "refresh_token" to get a new access_token and once approved with a new access_token (which again ofcourse is mapped on server side to the user's identity) all the subsequent calls will use the new access_token, till the time it expires. This is a simplistic version of OAuth and does not follow the specs to the letter. It's a very basic authentication/authorization flow to get you started. I hope this helps!
I need to make a simple query SELECT url FROM url_like WHERE user_id={friendId} in my Facebook app that I build with help of Spring Social. To do this I use authentication code provided by this library. The authentication works fine. But the query mentioned above returns an empty array. I would like to emphasizes that all the needed permissions are given (user_likes and friend_likes). However similar access token given to me by facebook graph explorer works perfectly.
Access token debugger from Facebook says that both tokens are valid and have needed permissions. The only difference in the duration of token validity: my app gives token that expires in 2 months and Graph Api gives for an hour.
What is the reason of this strange behaviour? Why token given by my app with needed permissions is unable to make this query. How to fix this issue? Thank you in advance.
UPDATE
Ok, it seems that Facebook gives access token for application that is different from access token of a user. So now the question is how to get user's access token with Spring Social Facebook?
You need to submit a post request to spring social ConnectController for the specific provider e.g. http://wwww.yourdomain:8089/connect/facebook. Spring social then will redirect the user to facebook authorization page where the user will grant your app with the asked permissions and send back a code to your server. Spring social then will exchange that code for an access token. You need to establish a connection for that user to be able to perform requests against FB on his/her behalf. Here is a doc page that might help http://static.springsource.org/spring-social/docs/1.0.0.M2/reference/html/connecting.html