When i am setting up a new application it says near the Client ID value: "Your Client ID. Copy and keep it secure".
As per my understanding, i should specify this value inside my javascript functions so its not so secured.
Am i missing something here?
No, you are correct. It is the combination of both Client ID and Client secret that you need to keep secure.
Related
I have some REST services on my site that will be available for 3rd parties to access.
My plan is simple. In order to call on these services, they need to request a key from me. I will privately supply them with a GUID. Each call to any of my services will, via a filter, check the header for the key and accept/reject the request accordingly.
This site is all HTTPS so the key would be encrypted during transit. I'm not worried about the key being visually identifiable to authorized clients. In other words, I'm not worried about any kind of 'inside' attacks or people sharing the key. I just don't want random, unauthorized outside users.
I have looked around and I don't really see anybody doing it exactly this way. I feel like I'm over-simplifying... but on the other hand, I don't see what's wrong with it either.
My question is.. does this sound secure enough (from a basic/minimal perspective) or does it expose some gaping security hole that I'm not seeing?
FWIW - I am using the Spring Framework, including Spring Security 4.
Thanks!
If it's HTTPS and the API key is in the header encrypted during transit as you described etc, then it follows a pretty standard design authentication pattern.
Your security now depends on how you distribute and store your API keys.
Although, you could use an "Application Identifier and Key pairs" approach.
Whereas the API Key Pattern combines the identity of the application
and the secret usage token in one token, this pattern separates the
two. Each application using the API issues an immutable initial
identifier known as the Application ID (App ID). The App ID is
constant and may or may not be secret. In addition each application
may have 1-n Application Keys (App_Keys). Each Key is associated
directly with the App_ID and should be treated as secret.
Just in case you wish to extend the application in the future.
Well, the title speaks for itself. In many places from Keycloak docs I encountered this statement
id of client (not client-id)
For now this statement sounds so stupid to me as I do not understand the difference between client-id and id of the client. Can somebody explain me this, please?
When you're creating a new client, you specify its Client ID (or simply client's name), e.g. "my-super-client". This is supposed to be unique across the realm and usually used in OAuth calls, e.g. as a client_id in "Client Credentials" flow (in pair with client_secret).
However, when creating a new client, KeyCloak issues an internal unique ID like this 3f7dd007-568f-4f4a-bbac-2e6bfff93860. You may find it in a URL when opening a page of your "my-super-client" in the web interface. This one is supposed to be a unique ID of any resource that KeyCloak creates during its lifespan.
Keeping this in mind, I think it'd be clear from the context of documentation which one is "id of client" and which one is "client-id" as you stated in the question. If not, please give a link here.
Lets assume i have REST api with products and i want it to be accessible only for specified users.
The list of users is known for me and i'm looking for some way to give them safe access to my API.
I don't want to create authentication with username and password, generate token and this stuff.
What i can imagine is that i'm giving each of my users some secret string
and they use it in every request.
And what i need is some example/tutorial/name of this kind of solution,
i'm sure there are some standards for that but i don't know it.
I know it's kind of nooby question - sorry for that, i'm just asking ;).
Thanks in advance!!
You are looking for a simple shared-secret authentication. A simple solution in this case is just to check for the secret as a param (or it could be in the request header). For example, the client can call:
https://example.com/valuable-stuff?secret=2Hard2Gue$$
You implement this in your web request handler as:
SECRET = '2Hard2Gue$$'
function showValuableStuff() {
if (params['secret'] != SECRET)
return NotFounderError;
// now retrieve and output the resource
}
Some practical considerations are:
Use a secure connection for this to prevent the secret being leaked (ie a secure HTTPS exposure).
Be careful where you store the source code if you're hard-coding it. A fancier solution is use an environment variable which is set on the server, so you keep this out of the source code. Or at least to encrypt the part of the source that contains the secret.
While this is fine for simple solutions, it violates the basic security principle of accountability because you are sharing the secret with multiple people. You might want to consider allocating each individual their own random string, in which case, you may as well use HTTP Basic Authentication as it's well supported by Apache and other web servers, and still quite a lightweight approach.
I am developing an enterprise app where I need to pass a Session ID in REST requests which will pass the same id in my EJB methods.
The approach I have taken is:
Create a Session ID whenever user logins. Use this session id to pass as Header Param in each api except login. (I am still figuring out how to exclude one REST API)
Use this session id in the Header and pass it to each EJB. (How to read header param in subsequent Rest calls after interceptor is invoked.)
Can anyone please let me know, if this is the right way to go?
Also, will generating a one-way hash for creating a session token useful rather than sending a auto-generated primary key?
Passing a token as a header parameter to identify a logged in user is a common approach. Actually using OAuth is basically the same idea, but adding a standard way of doing so and adding the possibility of expiring/revoking tokens.
About generating a one-way hash, yes. That's the way to go. An auto generated primary key would be a terrible idea. If I log in and I am assigned session 1427, I can be almost 100% sure that there is a 1426 session available for a different user right now. Huge security hole.
Make sure you make those tokens as hard to guess as possible and use https throughout the whole process or you will be exposing your login tokens to eavesdroppers.
Yes. Dont use autogenerated primary key. If you are using multiple layers of application and dont want to use JSESSIONID, use SecureRandom to generate a session-token and use it.
I know that PUT should be idempotent, and the client should define the ID for the object to create. But there is something I don't clearly understand: how does the client get an available ID? Should be there an other web service that provides one? Is there a best practice for this scenario?
client should first GET the Resource Representation
then issue PUT with changes along with the id from above step
It is also recommended to use If-Modified tags to avoid a conflict