I will not post any of my code, because this is more just a question to know if it's possible.
I've been googling a lot, but didn't find any concrete solutions. I hope someone can help me here.
The facts:
I have a login form
I need to authenticate the credentials over a web-service
I need to send both username and password, to get back a token if logged in successfully.
The problems:
With a custom provider I'm always stuck with the fact that they only have direct access to the userename, like: loadUserByUsername. I need to access the password there as well, to be able to send this to my web-service.
I have only 1 web-service which sends only back a token if provided username and password are correct.
Question:
How can I access and send both username and password to my web-service?
Thanks!
Generally speaking one would authenticate using an API token to a web service.
That API token is usually issued via an auto-generation script when the user account is created (either by an admin or by a registration form). This token is then passed by the API call to the web-service in a header which then uses it to authenticate the user.
As far as Symfony goes, by far the easiest way of doing this is with Guard. A new component built by Ryan Weaver from KNP.
KNPUniversity has a great tutorial on it (for free).
Note that this is only one option of many, and the 'best' way is probably mainly opinion based and directly related to the use case in question. But it might help you get on the right track.
If the token you want to create should be a JSON Web Token (JWT), a very conventient bundle is LexikJWTAuthenticationBundle, which does almost all of the work automatically. If you just follow the documentation, you will have it quickly up and running. You can combine it with FOSUserBundle, with a custom User entity or whatever.
Related
So at work I was given the task of designing a database API, now security assessment has stated that the system must use Authentication and Authorization.
On top of that Authentication Happens through their NetScalar that forces the user to login with company credentials and in turn gives the user a token. This token will then be sent to my API in the header of each request.
Now here comes the issue. The token only contains a username, I however want to do a
[Authorize(Roles = "Admin")]
Check on my controllers. Now as the user has already been authenticated with his password and username I know that he has is a valid user however I would like to assign a role to him.
Now I'm open for suggestions on how to do this but the simplest way of fixing this that I could think of was to at each request query my DB for the users role and add it to the token claims.
However I don't know how to do this and also I have no idea if this is a good solution.
I would appreciate any help with adding the claims (in code) or other solution (also code would be much appreciated).
Thank you!
I am developing an application that posts comments into Merge Requests on Gitlab. It works by authenticating with a given user, and then after some setup will register a webhook on the relevant project to be informed when a Merge Request update happens. When a new Merge Request is detected I want to post a comment on the Merge Request asking for some specific detail to be sent over.
However, when we post the comment on the Merge Request we can only ever seem to do it as the user that we have the OAuth token for (which of course makes sense). My question is what should we do/could we have done in order to post the note as a 'bot user' without having to register a full user into the repository? Or is this just impossible?
You can create a reporter user and use its access token. The problem my arise when the user doesn't have enough access control.
You can create a project scoped token, a bot user will automatically be created for such a token
Ref: https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html
I search for a solution to authtificate using the access token,
The customer sends a link via email https://www.mywebsite.com/?token=ijn8pC5q2bwftM7dMcjkhkdhgkfdjgfdgg type). when the customer click on the link, the applciation should get automatically the token and then redirect the user his personal page,
Any idea please
You can implement this using an custom authentication guard. This well described in the documentation of symfony. In the example they use an http header field, but you can easily use a query parameter to do the same thing.
As Daniel commented, be aware of token invalidation to ensure a secure application.
Problem statement:
Hi. I have some secured data which I want to expose through Web API and ASP.NET Identity mechanism. I want to use out of the box classes of ASP.NET Identity. I take a payment manually and change a value in the table. But there are cases where the user will share his username + password with some other guys so that the others can access the same content without paying anything.
Work plan:
So, I have extended the AspNetUsers table with a column named ApplicationToken (varchar). After successful login, I want to generate a token, update the field of the user's row in the table, and add this value as a claim information and send back to the client app. Now, when the user requests for a paid content, my client app will send the token also. So, somewhere in my server side codes, I need to check this ApplicationToken with the Database token value. If both are equal, I allow the request to proceed, otherwise I will send 401 Unauthorized and tell them to login again.
Implementation options:
After studying and searching, I found the below options to implement:
Create Custom Authentication Filter attribute so that I can grab the claims send from the client and do my required validation
Create a base class of the secured API and get the claims there and do my required validation.
Go for different Jwt based implementation where I should have access in both issuing and checking the Json Web Tokens.
If you have any other options, I would be very glad to hear those.
My question is, which approach is better to proceed. I have enough time to implement, so time is not a factor here. Thanks.
I'm looking for a basic explanation of how could I do this with symfony2, since there is no decent documentation in the web about this. I know how could I do the process with plain php, but I don't know where to start with symfony2.
Any help would be really appreciated, guys.
Thanks!
To clarify what I'm looking for: once the user completes the registration process, send an automatic email with a link to activate his account
FOSUserBundle has this feature by default.
You can do it on your own:
Create a user specific secure hash and store it in the database at registration.
Send an email to user containing a link with that hash: myapp.com/signup/token/..(token here).../
Create the relevant route to the controller that will check the hash, pass the token in the url to the controller as variable.
Check if the hash is correct in the controller and do the relevant action.