Any REST API utilize cookies? - rest

I am doing a research regarding cookies usage in REST API. After some researches on the Internet, I still cannot find a REST API which return cookies as part of the REST response. WordPress use cookies for users authentication to the website's admin page, but cookies are not set or used on WordPress's REST API endpoints. So my question is, are there any REST API or REST services which utilize cookies?

Related

If cookie-based authentication is used with REST API, how can the same API be used with mobile apps?

I am developing a SPA web app with REST API using Node. I read in many sources that the JWT should not be stored in localStorage of the browser; but instead should be set using cookie with httpOnly flag set. I have also read that mobile apps and SPAs should used token-based authentication.
If I should use token-based authentication, where should I store the token in the client?
While setting cookie is possible to do in web client, how can I use the same REST endpoint when I develop clients for mobile? I am not sure if mobile apps use the concept of cookies.
Suggestions would be highly appreciated.
I think your application should check cookies for the token first, if it is not there, then check the request Authorization header.

Keycloak and Google: auth flow doubts

We have a Spring Boot Web Application serving some REST API and the client consuming these API is a mobile app developed in React Native.
Now we need to secure the APIs and we're going to use Keycloak with Google as Identity Provider.
The integration between Keycloak and Google auth it seems pretty straight forward but I'm not able to understand the entire flow among parts and how to join the Browser login (on Keycloak page that redirects to Google authentication) in order to get a valid access token to perform API calls from mobile app.
I'll try to exaplain in another way, I supposed that:
Mobile app shows a web page (with Its browser) in order to perform the Keycloak login.
The end user using the mobile app press the Google button on Keycloak web page and begin redirect to Google for the authentication.
Google authentication the user and send a redirect URI with identity token and access token to the browser
...
then
...
is it correct to get the access token from the URI and use it form the subsequent API calls?
Is it supposed to work in this way?
I have to say that We also have and API Gateway (Ambassador) in front of our Web Application (containerized in a Kubernetes cluster).
I read different articles online but I'm still confused with the best approch.
Any suggestion is welcome.
Thanks.

How to Prevent an Authorized User from Accessing REST APIs using Dev Tools in an SPA

We are developing a financial application using SPA architecture. The client and API use the same domain. There are many posts on how to secure REST APIs using JWTs, httpOnly cookies and oAuth which protect the API from external attackers. However, I have not seen a specific discussion of how to prevent knowledgable, authenticated users from hacking APIs from the browser's dev tools. For example, when a user logs in using the login form a JWT is returned and must be stored somewhere on the client. Even if that token is stored in an httpOnly cookie (and inaccessible to JavaScript) the browser still sends it back to the server automatically regardless of how the API call was made (from JavaScript in the SPA client or JavaScript in the console). A valid login to the application does not imply full access to all APIs. What are some specific approaches to mitigate this vulnerability?

How should my api handle login via auth0?

I'm trying to learn how to utilize auth0 to handle user authentication for an api I am currently creating.
My api has two endpoints:
Login endpoint: /api/login
Request access token endpoint: /api/auth?code={code}
Here the authentication flow is:
User goes to the login endpoint of my api.
User is redirected to auth0 ui.
User inputs their login credentials.
Auth0 redirects back to /api/auth where a request for an access_token is made using the login code.
Firstly, is my understanding the Oauth authentication flow correct? If so, how best should my api handle the initial login redirect to auth0?
Because at the moment when I hit up /api/login from the front-end ui it just returns the html of the login page at auth0. Should I instead return a 302 with the redirect url or is it possible to create an endpoint where the user inputs the username & password via my api and avoids the redirect?
---update---
After a user has authenticated via auth0 they receive a access_token and id_token which should my api use to verify the user is who they say they are?
Not sure if my understanding is correct but I belive that my frontend ui is the OAuth client application and my API service is an OAuth resource server. As such does my api need to call out to auth0 /userinfo to verify the user?
Assuming you are trying to protect an end-user application (your question wasn't clear on that), my understanding is if you are using Auth0, you likely won't need an /api/login and api/auth API. If you are using Auth0 you can get those things during your authentication via Auth0.
I would say your APPLICATION (not API) would redirect the user to the Auth0 login endpoint. You would do that by incorporating the Auth0 SDK of choice, depending on what you're building. For example, if you're building a web app, you may choose to incorporate auth0.js and call webAuth.authorize() to trigger the login. During that login, if you have configured an API within Auth0, and you provide the proper Scope and Audience during your login, your response will return an API token.
Then your user is in a state on the client side where you are logged in, and you have a token. You can then provide that token to your API, and your API can validate that token as needed. Auth0 also has various libraries for token validation (like this spring security one, for example).
Lastly, the question on which oAuth flow to use, that also depends on what type of app you're protecting. There are again Auth0 docs to help. The flow depends on if you're building a server-side web app, a SPA, a native app, etc. Your question was a little confusing, and it sounded a bit like you are building an API and want to protect that. If there is no client-side app (only machine-to-machine API calls), then you wouldn't be dealing with HTML and login pages. You'd likely be getting into the Client Credentials flow, which last I checked was only included for Enterprise Auth0 users.

OpenAm: SSO implementation using RESTful API

I am a bit confused implementing SSO with RESTful API. So far, I have used RESTful API to authenticate and get a token-id.
How should SSO can be implemented? To get a token validated, it must be saved somewhere as a cookie or something. Is there any way to do this?
I you want to do SSO yourself you have to mimic OpenAM's SSO session tracking mechanism which uses cookies.