I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.
I see two possibilities:
Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.
Case 1: It's a good solution because we are still RESTful but:
SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.
Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.
Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.
Is someone had already to do it and give me some pointers (for design or implementation)?
Is there a better way to do it with SAML?
Any help or advice are welcome.
It is still draft, but: the OAuth2 SAML bearer profile may a possible solution.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17
Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.
Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.
It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.
Related
I am new in security so need little help with this task. I develop small application where I need just authenticate users by credentials, and return jwt token without any roles or scopes (users will consume all rest service).
I just need distinguish authenticated and anonymous user, and verify token.
I checkout a lot of tutorials, but they are a too complex for my purpose.
There are my questions, I will be grateful for any help or some guide in steps what I should do and how:
One of tutorials which I found use OAuth2. It's really need
implement OAuth2 for my purposes?
Which dependency should I use? jjwt or spring security jwt?
Really need authorization server and resource server, or exists
simpler way?
Thanks.
Here is a short answer to your question that hopefully will help you with further research:
You dont need to implement your own OAuth2 server. You can use existing OAuth2 compliant application like Keycloak or Mitreid. We found Keycloak to be more future rich and easy to use.
If you are just receiving and validating JWT tokens then Spring will do it for you. But in order to create JWT tokens you need to use third party libraries like jjwt or nimbus-jose-jwt.
Again you have option to create your own Spring app that will authenticate and create JWT tokens, but it will take more to be fully OAuth2 compliant. My advice is to just use existing OAuth2 app like Keycloak.
The resource server is the one that you need to create and is the actual application that is being secured and accessed by JWT token.
Its late to answer this question, but still answering this if in case someone is still looking for an answer. Assuming you have already achieved authenticating the credentials, but looking for help with JWT, look at my answer JWT Token is always received as expired while parsing
Hope this helps.
I am developing a REST API using Java Spring Boot framework. Purpose of this API is to connect mobile and web applications so they can work together.
My question is, what are the best practices to develop login functions or the login process. Shall I generate a token or what should I do?
You could follow the best practices as described in OWASP, here.
Most APIs nowadays use token based security. Here are a few guidelines:
You need one service (which is itself public) that authenticates the user.
In order to authenticate the user, it might use a username and a password, and/or other means.
As the result of authenticating the user, this service returns an authorization token.
Your backend should keep track of issued tokens.
Each token will have an expiration time.
Every time the client uses an API, it should send along the token. Usually, the token is sent as an HTTP header.
Every service in the API should validate the token before anything else. If the token is invalid, it should return an appropiate HTTP code.
All communications should be sent over SSL.
OAuth and OAuth2 are two very well known protocols for this very goal. OAuth is a little more complicated than OAuth2.
This is a very high level description, not technically deep, but it should get you started.
I am searching for the best approach of authenticating users of mobile clients when accessing my RESTful API. For example, how approximately AirBnb uses it's auth module.
Should the authentication be different for RESTful and basic session-based resource, working with the same data?
I am not a mobile developer therefore, I am interested in what is the best way to provide authentication from server-side, so the mobile-platform developers could use it simply.
I googled for few approaches using OAuth, OAuth2, HTTPBasic authentication and still wonder how the mobile developers can use such API, how they will store this token (cookie is stored by browser in browser-oriented apps).
Could you please suggest me some links/code samples/techiques that you used in production or pet-projects or something?
An easy and manageable alternative to OAuth(2) for authentication is JWT.
You don't need additional infrastructure, the workflow and use is straightforward and there are ready to use libraries for all major languages already available.
Compared to HTTP Basic Authentication JWT is more flexible by transmitting additional information not just credentials, you can store the JWT token as JSON or you can use cookies, you don't need to store the credentials on client side and you don't transmit the credentials on every request.
Also based on JWT you can realize very easy a single sign on function. So if you need more than just a simple system user then you should definitely try JWT.
I would like to implement OAuth 2.0 authorization on my JAX-RS RESTful services.
After some researches, I've found Apache CXF to do that. However, I haven't found any examples about it and it's unclear for me. Where can I find some examples of JAX-RS with OAuth 2.0?
Disclaimer: This answer doesn't really provide a solution for securing a JAX-RS with OAuth 2.0. But it aims to give some insights to Mohasin Ali, who started a bounty on my question. Maybe, the solution I used can be useful for him.
Regarding the bounty:
The question is widely applicable to a large audience. A detailed canonical answer is required to address all the concerns.
After asking this question a while ago, I realized that OAuth 2.0 would be too complex for my requirements. Even Basic Authentication would be enough for my requirements. But I ended up using an authentication scheme based on JWT tokens signed on server side. I described my solution in this answer.
Apache CXF provides an implementation of OAuth 2.0. It may worth looking at it if you want to use OAuth for securing you API. Apache CXF also supports OAuth 1.0.
It doesn't matter the authentication method you decide to use, do it on the top of a HTTPS connection. You'll need a certificate for that. As a suggestion, have a look at Let's Encrypt. They claim to be a free, automated, and open Certificate Authority, currently sponsored by Mozilla, Akamai, Cisco, Chrome, Facebook and others.
Regarding the following situation, mentioned in the comments:
[...] a malicious user visits someone's computer, open the browser, see the access token and copies the access token to his own browser [...]
If a malicious user have physical access to a computer, HTTPS won't prevent this malicious user from stealing an authentication token from someone's computer. Actually, if it happens, I think you should have bigger concerns...
For an additional layer of security, you could consider storing the token along with the IP address of the user you issued the token for. For each request that hits your API, compare the IP of the incoming request with the IP of the user you issued the token for. If the IPs don't match, refuse the request.
If you go for JWT tokens, instead of storing the whole token, store only the JWT ID claim (jti). Just ensure this value is unique (java.util.UUID should be enough for generating the jti value).
For a completely stateless authentication (not storing the whole token neither storing token ID), you could store the IP address in a JWT token claim, but mind the token will be a few bytes longer.
Please see https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2 for one example, it has a collocated example (all endpoints in the same container) and more complex one with the endpoints distributed, with SAML SSO Web profile supporting SSO.
I'm hosting a REST web service in a Grails application, using Spring Security, i.e.:
#Secured(['IS_AUTHENTICATED_REMEMBERED'])
def save = {
println "Save Ride REST WebMethod called"
}
I'm calling it from an Android app. (Calling the unsecured service works just fine.)
To call the service, I'm manually building up a request (HttpUriRequest) and executing it with an HttpClient.
I'm wondering what the best practices are, and how to implement them... Specifically, should I:
Perform a login once, to retrieve a JSESSION_ID, then add a header containing it into the HttpUriRequest for each subsequent request?
Or (not sure how I would even do this) include the login and password directly on each request, foregoing the cookie/server-side session
I think I can get option 1 working, but am not sure if Spring Security permits (2), if that's the way to go... Thanks!
--also, there isn't any library I'm missing that would do all this for me is there? :)
Spring security does support both basic authentication and form based authentication (embedding the username/password in the URL).
A REST service is generally authenticated on each and every request, not normally by a session. The default spring security authentication (assuming you're on 3.x) should look for basic authentication parameters or form parameters (j_username and j_password) (in the form http://you.com/rest_service?j_username=xyz&j_password=abc).
Manually tacking the j_username/j_password onto the URL, adding them as post parameters (I believe), or setting the basic authentication username/password should all work to authenticate a REST service against the default Spring Security interceptors, right out of the box.
I will admit that I haven't tried this on REST services, though I do clearly recall reading exactly this in the docs as I did the same for basic page logins on spring security recently. Disclaimer over.
I think you can use a login-once-and-get-a-token method that's similar to how oauth works.
sending username and password across the network outside of secured channel(https/ssl) is a terrible idea. anyone on the network can sniff your request package and see the clear text password.
on the other hand, if you use a token method, since the token string is randomly generated, even the token is compromised, the worst case is someone can use the token accessing your REST API.
another solution is going through ssl tunnel(HTTPS). i have actually done a comparison and result shows: 80 requests/min(https) vs 300 requests/min(http)