We use SAML through Okta to control access to our API. We have a way to get Paw to set the cookie needed via an endpoint on our server sending our username and password. This works great, we just hit that endpoint once before and we are good to go.
The issue comes from having to store the password in Paw in the session POST body. We would like to share our paw files but it would be risky to have to remember to clear the password each time.
Is there a better approach to this? Maybe a way generate an ask user prompt?
Related
First of all, I am sorry for my bad English.
I am writing an app with a backend, which I want to make safe. I am using HTTPS for the connection, but a lot of people say that this is not enough protection.
At the moment, my user credentials are sent to the server via JSON format as plain text, which isn't a good way, I guess. At the server, my password is hashed with a random salt and stored in the database.
If the login is successful, an authentication token is generated and sent to the client. The client is using it as a header.
Do I need to do more? I read something about digest access authentication. Should I implement this authentication method, or is there a better way to make my login safe? Or is this the right place to use this authentication method?
I am using angularjs on the client side and WEB API on the server side (C#).
I'm trying to implement Authentication and Authorization mechanizm,
I understand that session state is a "bad" practice for web api, so I read some more options, but somethings were unclear to me, or perhaps someone could suggest me a better solution, I would appreciate it.
after user logged in successfully, generate a token for him, and send it in the first response back to the client. the token will be added to any authorized request after that. the question is, how the server could tell what user is that? use DB to store data like username, and system role id, with the token as key?
after user logged in succesfully, encrypt or something like that important data like 'username;system_role;other_info' and send it back as a token?
perhaps use encrypted 'FormsAuthenticationTicket' of asp.net? like here?
I'm sorry for the long, and maybe too ease question, but I really couldn't understand from the web what is the 'best practice' for my case, and it is the first time that I don't use session for authentication.
thanks.
and thank all of you for viewing this question.
I am not sure to on how do this so i am asking for the community help on this matter.
I read int his post Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant" that sessions are not "completely" advised on the REST convention, and that all authentication should be made using HTTP Basic authentication or Digest.
Ok, so far i get it.
But has far has i know, basic authentication is made on the actual server against a regular non-encrypted text file.
Would it be going against the convention, putting the username/password in the http request parameters, instead of passing them down trough the headers and letting the web server do the authentication?
This way, for every request made, the user/pass parameters would be checked and managed using my own logic. I mean using a database table, that has all the info necessary for the application.
The method I currently use is the first request is for a auth token via a POST method, which contains Headers of Username and Password, these are then verified against my authentication methods. If the credentials are valid, I return a time limited token. All subsequent requests must have the auth token as a header, which is checked and if valid access is allowed. I maintain the list of valid token in code and expire them as required. This is faster than having to validate the username & password on each call and is slightly safer than the username & password being passed in with each call as a token could be stolen, but it is only valid for a small period of time.
All of this this must be run under SSL otherwise the data is not secure and users credentials can be read.
Basic auth is handled by the server however the server chooses to handle it. There certainly doesn't have to be a plaintext file containing usernames and passwords! My current client stores passwords in a 1-way salted hash in their database. On an incoming request, the plaintext password is pulled from the header, salted, hashed, and them compared to the database value.
Putting a password in a request parameter is a really bad idea. What happens when a user copies and pastes a URL to email to their coworker?
I am using Symfony2.0 and FOSOAuthServerBundle, which implements OAuth2, for managing my APPs clients access to my PHP server.
Everything works perfectly, any token generation, refreshing, etc, etc...
One of the gotten effects is that anytime I enter the APP, I don't need to re-enter my credentials, as the token is still valid or, else, I refresh it using the proper API method.
Typical behavior and all perfect so far.
Now I need to develop a "Logout" button in my APP in order to invalidate that user's token and avoid the use of any refresh_token for him. Sort of revoke his token and/or credentials. In other words, really simulate a Logging Out from the server causing the user to re-enter his credentials next time he gets into the APP.
What OAuth2 sets up for this? Is it a standard behavior with its own API method? Or should I override any behavior in order to getting it?
In case someone's stuck on same thing, I had similar questions, but it turned out to be a conceptual mistake.
Perhaps this may help you:
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/236
By definition, oAuth2 is STATELESS, so, it does not make sense loging out from an oauth server. To do that, just, destroy the access Token in client side app (We suppose here that you have the control of the app).
But, when a third-party app is connected to your server, you can force the logout mechanism by removing all access tokens that was given by your server to that user of client application. So, when app wants to use one of the destroyed tokens, it will get a 401 HTTP RESPONSE (The access token provided is invalid). Note that if the application has saved the user password in its local storage, it can login automatically to your server without asking the user to enter its password. so, destroying Access Tokens in server side is not a sure method.
I'm working on a website where I get a feed of usernames / hashed passwords from another service. When someone sucesfully logs in I set a forms authentication cookie with FormsAuthentication.SetAuthCookie.
My client doesn't like multiple people logged with the same credentials. They would like a log in to invalidate any currently logged in clients.
There isn't a method on FormsAuthentication to tell the server "invalidate any other cookie under this name". KB900111 suggests the server doesn't maintain a list of valid cookies. So my approach isn't sounding good.
What's the alternative? Time to ditch forms auth?
Not necessarily. Forms auth still provides quite a bit of baked-in functionality you might want. Maybe you can generate and issue a Guid the first time each user logs in, and store that on the server-side, and in a cookie (security ticket preferably). Every time a request is made, you check to make sure the user is using not only the correct credentials, but also the same machine and browser (based on the cookie you issued the user when the user logged in). You would of course have to make sure that your Guid expires at some point, and also make sure you clear it out when the user signs out.