I have requirement on authenticating and authorization the users sending request to Alfresco repository for CRUD operation. I am confused with which approach to use ...either 0Auth or Alfresco ticket. Can anyone suggest
I'm using only the community version, but I think is better to use the ticket, sending a post request to "/tickets" providing the "UserId" and "password" in jSON.
You'll receive, if login succefuly, the ticket to use as your Authorization, instead of the Basic Auth, for example.
Related
We have planned to implement authentication in our API using OAUTH. For this purpose I read so many articles on web to explore it. After read these articles what I am understanding is
Send credentials to authorization server and after successful
authentication it will send you the access token.
Use this access token for further calling of your api methods.
To authenticate our api user needs to pass the following parameters.
Authorization Token
Employee ID
What I am thinking is to pass these values via request headers. Problem is that these request headers can easily be viewed in browser console and someone can misused it easily. Please suggest Is this the right way to authenticate api or we used something else for this purpose?
I am using the standard ASP.net OWIN OAuth middleware system to authenticate local users with Bearer tokens. I was thinking of embedding roles as a claim in the token, but was wondering how I would be able to change a users role such as taking away admin privileges without them logging out. Any ideas?
It's always possible to implement some dirty solutions to support your problem, for example :
When the roles have changed then raise an even in a queue like RABBITMQ / NServiceBus (or via event).
The subscriber (website) will invalidate the cookie and regenerate a new one with new claims.
I don't see the issue with waiting for the cookie is expired.
In fact a bearer token (identity or access) has an "expires_in" property, so even if your cookie
is regenerated with new claims, the token is still valid in the provider.
Another remark your permissions can be returned by a UMA server, they shouldn't necessarily comes from your claims.
Take a look to this scenario : http://lokit.westus.cloudapp.azure.com/Documentation#third-scenario-limit-access-to-certain-website-features
I am using ASP.NET WebAPI for a web service that I am building. He web service will use the Identity service to authenticate users.
I am a bit stuck as to how to authenticate users externally. Our current system is very basic- we send a username and password in the XML request as a separate field and it is all done in 1 request.
From what I can see from looking on Google, the best way is to request a token from the Ali and then pass this token in subsequent requests. Is there a way where I can do it all in 1 request (that is, send to the API my request for data as well as the username/password or perhaps an API key in a single request?)
From what I can see from looking on Google, the best way is to request
a token from the Ali and then pass this token in subsequent requests.
Is there a way where I can do it all in 1 request (that is, send to
the API my request for data as well as the username/password or
perhaps an API key in a single request?)
I'm not sure why your web service want to know user's username and password in Token based Authentication.
In Token based Authentication, your web service should not ask for user's username and password.
Instead, user first verifies the user name and password using a token issuer that your service trusts.
Upon successful verification, the token issuer provides the user with a token. Once the user has that token, it uses it to call your service.
For that, you do not have to reinvent the wheel. Here is JwtAuthForWebAPI nuget package for OAuth2 and OpenId Connect.
It is not secure at all to keep sending username/password with each request, you need to configure your api to issue access tokens for specified life time i.e. 24 hours. To do so you need create and end point (/token) which accepts the username/password validate the combination then issue an access token.
The client which receives this access token is responsible to store is securely and transmit it with each request to an any protected resource using the request "Authorization" header using bearer scheme.
As well you can not do this in one request, you need to obtain the access token at the beginning the you keep calling your protected resources using this access token until it is expired.
You can read more about this in my detailed blog post about Token Based Authentication in Web API
What is a good way to transfer an authorization key to a server? I'm building an REST-API right now and I'm stuck how the user can authorize on that api. He will get an authorization key (thats not the problem), but what would be a good way to pass this key to the server? As a GET parameter, as an HTTP Header field, as a cookie?
Which way is easy to handle with most of programming languages (e.g. I want to use the API with php or ajax..)
i suggest to send via HTTP POST, and if possible then encrypt it before sending it and decrypt it on server on need basis
You could use the HTTP Basic authentication scheme, which uses the Authorization HTTP header. With Basic authentication, the client must provide its credentials on each request. so you might prefer the Digest authentication scheme, which is a little more secure.
Without more details, I might recommend OAuth 2.0 with the Client Credentials grant type. Basically, the client uses Basic authentication with its client credentials once to receive an access token, and then it uses the access token on subsequent resource requests. Typically the access token is submitted using the Authorization HTTP header.
OAuth is really an authorization framework, but it provides a good solution for API authentication also, and you might find its authorization tools useful for securing access to API resources. It could be that the Authorization Code grant type is applicable to your use case as well.
Related: Best Practices for securing a REST API / web service
I'd like to use WePay.com for authentication and authorization using OAuth 2.0 and ASP.NET MVC 4 Web API.
I was reading through their tutorials online here and was thinking do I just go through these steps and store the access token in the database along with their user_id from WePay.
Should I use FormsAuthentication.SetAuthCookie() to create the
secure cookie?
Is this secure?
Or do I authenticate users be some other means (Facebook, Twitter, Basic, etc)?
You could actually use WePay as your Auth mechnaism. Make sure you checkout the C# SDK here: https://github.com/bradoyler/WePayASPNet
Yes, you would just have to call FormsAuthentication.SetAuthCookie('wepayusers email or auth token') after the wepay login callback.
Good luck.