I want to store some analytical information about the use of mobile apps into Amazon DynamoDb. I have the following requirements:
exactly one DynamoDb table per one mobile app
an app can do only PutItem method
all users of apps are unauthenticated (guests)
To provide to mobile apps a way to access a table in DynamoDb I see two options:
hardcode credentials with limited permissions into apps (permissions to do PutItem to a specific table);
use Amazon Cognito to get temporary credentials for unauthenticated users in runtime.
The second option Amazon strongly recommends as a much more secure. In my case a malicious user can either get access to hardcoded credentials or to a hardcoded identity pool ID with the same result: getting access to an AWS resource.
Question: does the use of Cognito in my case give any security improvements and if yes, how?
Cognito identity is totally free - you wouldn't have to pay anything.
Your point that using Cognito doesn't add any security to unauthenticated requests isn't correct. From the Cognito FAQs:
Q: How does Cognito Identity help me access AWS services securely?
Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your AWS resources. You can use Cognito Identity to securely access other AWS services from your mobile app without requiring your AWS account credentials. You can also use the unique identifier generated for your app users in your Identity and Access Management policies. For example you can create a policy for an S3 bucket that only allows a particular user access to their own folder.
The same thing described for S3 can be done with dynamo - see this blog post for specifics.
Related
I intend to develop an application using firebase authentication.
Companies will be able to sign up and in turn create accounts for their employees.
There will therefore be a "master" account which will be able to manage the operators (add them, modify them, disable them and delete them) and then the "employee" account that can use the platform.
I would like it to be possible that the master account, by entering the client id and the secret key of their oAuth server in a hypothetical administration dashboard, would make it possible for its employees to access with google.
The question is this, would it be possible to manage multiple oAuth servers (from the same provider, e.g. Google) in the same Firebase project?
Thank you in advance.
I am the owner of the Firebase project.
Is it possible (for accidental data manipulation reasons) to disable write access from Firestor DB?
For instance when login in the web admin console e.g.
https://console.firebase.google.com/u/0/project/MYPROJECTID/database/firestore
to not be able to write/update/delete any documents or collections.
If you want to disable write access to web and mobile clients, you can set the security rules to disallow all writes. There is no other configuration to control client access.
For backend code, and collaborators accessing the database through the Firebase console, you can only revoke access to any services accounts that might be used to make changes using IAM.
I have a firebase web app calling my Python API.
the user who is using my app does not need to login to use it but I still need to make sure that this request coming from my application
How can I verify the identity of the app sending the request?
There is no way to enforce that calls can only come from your application. In a database that is directly accessible from the internet, that is simply not possible. Anyone who can use your web app, can take the configuration data from that app and use the Firebase API to make their own calls.
That's why it's important that you enforce all business rules that you have for your database in Firebase's server-side security rules too. You can use these to enforce data structure, and (when combined with Firebase Authentication) ensure that all data access is authorized.
You can use Firebase Authentication without requiring your users to enter credentials by using anonymous authentication. This essentially gives your user a unique ID, that you can then use to identify that user (and the data they create) in security rules.
I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft
I'm building a Java application which needs to access the DynamoDB. The application is intended to be used by several end users (not all of them are trusted). From my understanding, in order to access the AWS service,the AWS credentials need to be loaded at runtime on end users' machine via several ways described at https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
However I don't feel it'll be safe to directly hardcode the access key and token into the application code, as this can be easily exposed. Given my end users don't have too much technology background, I don't want to add too many "pre-setup" steps before they can use the application.What will be best/feasible practise to distribute the credential to them?
Thanks for all opinions.
You probably need to be looking at AWS Cognito
An Amazon Cognito user pool and identity pool used together
See the diagram for a common Amazon Cognito scenario. Here the goal is
to authenticate your user, and then grant your user access to another
AWS service.
In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials
through an identity pool.
Finally, your app user can then use those AWS credentials to access
other AWS services such as Amazon S3 or DynamoDB.