Transacting in ATS Tokens - aion

I have created a custom token in mastery. I need to transact using the token on a java smart contract. How do I set the token type on the contract? I am using aion-web3 to call the contract.

Any ATS token transfer is just a contract transaction of calling send() function in your token contract.
Note: Java smart contract on Aion network can only interact with another java contract, not a solidity one.

Related

When to validate JWT

I am building an application that spans over several parts of infrastructure.
An end-user can sign in to a portal using OAuth 2.0 authorization code flow. When calling different APIs, the portal requests tokens on-behalf-of the signed in user and attaches those to outgoing requests. The tokens received to call external APIs have an aud claim matching the target API.
When a call to an external API is fired, it first passes through an API Gateway. This API Gateway validates the token and ensures the aud claim is actually intended for this endpoint. It also verifies roles and a few other claims.
When the gateway checks pass, the request is forwarded to the actual implementation. Now the actual implementation also verifies the token, but only that the token is valid (e.g. not looking at specific claims). That is not to say that the claims aren't used internally in the application after the token is validated, roles are very much part of the application logic.
So to summarize this as bullet points:
User signs in to portal
User performs some action that causes an API call
Portal attaches token to outgoing request
Request hits gateway for 1..n claims are validated
Request is forwarded to actual implementation
Implementation again validates token is valid, not looking at claims
All endpoints are public, e.g. I could call any of these from anywhere as long as I have a token.
In the above outlined scenario, I'm handling the token properly?
In general, what is the recommendation for tokens passing through several layers of an application? Should every layer validate the token? If yes, are there exceptions to the rule?
Typically, JWT tokens are validated when are sent from the client-side to the server-side. As these tokens are signed, if anyone tries to tamper with the token before sending it to the server-side endpoint, the token verification will fail, therefore these tokens are a secure way of sending the session of an authenticated user to an API or a server endpoint.
These JWTs can be also transferred between servers or different application layers, and it always would be a good practice to verify the token before processing it. It is adding a layer of security to avoid anyone sending tokens to that layer directly and skipping the validation.

External payment method API - Deal with callback security

Many Payment Method providers API like Braintree, Stripe, etc etc provide a callback system that allow the merchant to be notified with the result of transaction.
The main question is: How I can be safe from malevolent requests?
Suppose an attacker can reproduce our exposed callback REST API (obviously with HTTPS) this would lead in many fake successful transactions.
Is there any method to prevent this? I read about CRSF token on Stripe link, however it's unclear to me how it would be securely passed between my ecommerce site and provider API.
Stripe's callback system is called webhooks (https://stripe.com/docs/webhooks)
To prevent potential attacks, Stripe will send the callback content together with a signature. The signature is a (HAMC SHA256) hash of the callback content with timestamp and webhook secret. You could verify the signature (https://stripe.com/docs/webhooks/signatures) to ensure that the data is indeed sent from Stripe.

Getting access token for external provider's APIs in IdentityServer3

We have Identity Server set up for access to our internal APIs. We have a new JavaScript client that would like to in one request get id and access tokens for our internal APIs, and an access token for calling APIs directly from the external identity provider (in this case, Google). I was thinking if it was possible to get it I could return it as a claim in our id_token.
Is this supported? I set the response type on the identity provider to "id_token token", and I can see that the access token is getting returned to Identity Server, but I don't see it on the context of any of the user service methods.
and an access token for calling APIs directly from the external identity provider (in this case, Google)
Normally the use of IdentityServer is meant to abstract and shield your app from having to know which upstream identity provider the user used. But having said this, you could capture the google access token at signin time at IdenittyServer. One idea is to put it into the database, then in the GetProfileData API on the user service put it into the issued claims back to the app.

Stackexchange API Implicit vs Explicit

This question is inspired by the documentation on the stackexchange and facebook API (http://api.stackexchange.com/docs/authentication) but is probably more widely applicable to OAUTH 2.0 in general.
My question is, why would you want to use the explicit authentication model when the implicit model seems like much simpler why of authenticating and getting access to content?
Are there limitations implied by the implicit approach and which is the most suitable method for a node.js application which is technically a server side app but which seems like would be suited to the use of the client side javascript libs.
Edit
After doing some reading it appears the "implicit" nature of the web client flow stems from the fact that the Resource Owner (user), implicitly trusts the client (the web browser). This means the simplified flow is appropriate, given this implied trust is a given.
This still leads to the question that when performing authentication via OAUTH 2.0 that the Resource Owner (user) must be vigilant as to whether they implicitly trust the client or not. This seems like a potentially dangerous stance as it assumes awareness AND knowledge on behalf of the user and there seems likely to lead to security concerns.
Talking of OAuth 2.0 and not stackexchange API's specifically, there is an element of risk in the implicit flow, also called the implicit grant flow. This is because the authorization server sends the access token to your user agent/web browser.
To minimize any damage that could result from this, the access tokens were made short lived. Also, an access token, in this scenario, can be used only for the scopes that the user provided authorization for. This type of flow is mainly used for simpler web apps, that do not have a server to support them. The rather irritating apps that you see on Facebook could be an example, every other developer can use this implicit flow without having to worry about arranging for a server.
The explicit flow, called the Authorization code flow is far more secure. This involves the user agent receiving an authorization code from the server. This code can only be used by the app that registered - the server that you would maintain at the back end, with valid credentials.
An example :-
Let's assume there is some Google app that uses Facebook graph APIs. You can open the google app website and authorize
i) Either the browser receives token, the webpage made by the google app ensures that it hits the APIs, fetches the data and returns it to the server.
ii) OR, the browser gets a token and the webpage returns it to the google server. This ensures that only Google can hit the Facebook API (a sense of relief for a big company). Also, there is a central server that manages all requests and can easily generate any sort of metrics for monitoring requests/numbers/patterns.
One more major use of this explicit flow is offline access. In the above scenario, your app server can fetch a Refresh token and can call the REST APIs even when you are not logged in.
If you do have a server side app, I personally would recommend using the authorization code flow /explicit flow.

Why is the application secret required for extending a token lifetime?

My understanding of the application secret is that it is meant to be kept "secret".
I am wondering how I could extend the lifetime of a token using the client side flow without embedding the application secret in the client?
You can't, you'll need to do it server side (maybe via proxying the call)
There should be few reasons to have a long term token in client code if it's Javascript, for example, and I believe the iOS and Android SDK's already receive extended tokens when they use the SSO flow