My project include a web application, a mobile app and a REST API module.
The mobile app is made with Ionic 3 for android and uses a REST API located to an address like example.com/api.php on a server with https. The API has access to a MySQL database.
For the users who access the API I have to create the login/access to API function/logout since they already have the accounts created in the web application.
The main concern is to implement a secure login. Meaning, if someone tries to access my API without authorization (knows the address, the functions name or the used parameters name) to recive an error message. In order to access the API you must be logged in and to have the right to acces a certain section (I have multiple levels of access).
But how can I detect if an user that access my REST API is logged in and has the proper rights?
The plan:
For the login step
In order to access the REST API I have to login with username/password in app. I check if the credentials are correct (if the user exists then I determine the access level) and return a JWT with the user ID and other parameters if necessary (a token). Store in phones local storage the JWT.
To secure the access to REST API functions
The question is: HOW DO I DO THAT? How do I access secure a function from my REST API?
for every request that I make to the REST API should I send also the token from the Local Storage and verify it on the server side?
how do I perform the validation on the server? Do I store the token on the device and also on the server and compare them for each request?
Thanks a lot!
There are multiple ways to do it, it's all depends on you. Hence i am sharing the method i generally use, but not claiming it is most secure way.
We use encryption, decryption with private key. for example:
Register User Web-Service
ex. we have 4 params 1. username 2. name 3. email 4. password. with my register web service.
We will create SHA256 Hash using data concat with private key. then we will pass the hash key to server and at server side we will generate hash key with same method and compare both.
ex. string with private key = usernamenameemailpasswordprivatekey
sha256 of string = 7814b2d22af647308884acff0be4c675b7f72ba000cf1e8390520100cc930e74
You may have any sequence of your data string and same method will work with your server. Always use SSL certificate with your server for more security.
Related
I'm building a REST API using Elixir's Phoenix framework. In the API, I need to authenticate the user by phone number i.e., via sending an SMS OTP code. After authenticating the user, the Auth server sends the Access token and Refresh token to the client. The client(mobile app) stores those tokens locally and sends the Access token in the HTTP header as Authorization: Bearer <Access_Token> in every request to resource server. My actual question is, how do resource server validates the Access token that is received from the mobile app/client?
Does resource server needs to contact Auth server to validate the Access Token? That would a lot of overhead. Please help me understand RestFull API Authentication.
Thanks for taking the time to read my question.
It sounds like you have everything working up to validating the token. You are going to need the public key for the server that signed the token. It depends on what auth server you're working with on how you get that. In some cases you may be able to preload this key as a configuration setting on your backend. Otherwise you can probably get it via https request to the auth server. Most auth servers these days I expect to provide a JWKS api that you can use to get the keys you need. Then with the token and the public key you can use your elixir jwt library to validate that the token you have was signed by the server you trust, meaning the SMS code was validated, and you can proceed with whatever is needed in the backend to handle the request.
If you're using Joken for elixir you can review https://hexdocs.pm/joken_jwks/introduction.html and https://hexdocs.pm/joken/introduction.html for more information.
how do resource server validates the Access token that is received from the mobile app/client?
The same way a nightclub bouncer verifies your driving license as proof-of-age to let you in: by validating the authority and signatures, but it does not need to phone-up your DMV to verify that your license is real because it trusts the signatures (in this case, cryptographic signatures).
That said, some systems do use "reference tokens" which are short (say 32 bytes) of meaningless random data which are used as an unpredictable record identifier for some user-permissions record held by the authorization server. The resource-server will need to contact the auth server initially, but then it can simply cache the auth result itself for some time window.
I'm looking for a way to restrict user access to specific clients in a realm.
I know I can do it with client where Authorization is enabled (fine-grained authorization support) but it doesn't work when trying to connect from front (client need to be public and not confidential).
I'm using a javascript application to login from front-end.
Is there a way to enable Authorization for public client or a work around ?
Thanks.
I'm not sure if this will totally answer your question because it's still not specific enougth but it may give you some further help.
In case you're new to the topic, please see difference between public and confidential clients here.
The current best practice for public clients like HTML/Javascipt applications is to use OpenId Connect with the Authorization Code Flow + PKCE. HTTPS is of course a must have. I recommend you use a javascript openid connect adapter for this like the following for example:
https://github.com/panva/node-openid-client
Basically your authentication / authorization flow is shown here:
When the user wants to login from your frontend client application first a unique verifier is generated which is only available to the exact user / browser session. This value get's hashed as a code challege. Then the user gets redirected to the login page of your authorization server (Keycloak for example) passing some parameters like a redirect uri and the challenge.
With successful login the user get's a session at the keycloak server which also stores the hashed challenge. Then the user gets redirected to given redirect uri (a path in your application) together with a code to obtain an access token. Back in your application you application uses the original value together with the code to get the actual token. The authorization server ckecks the value against the stored challenge and geturns the access token if it matches. You see the extra verifier is to prevent that anybody compromises your code fragment to obtain a token on your behalf.
Now you have an encoded access token in your browser app. Note the token itself is normally only encoded not encrypted but it can be signed. Those signatures can later be used from your backend to ckeck the token integrity but we will come to that soon. Roles, claimes, scopes and so on included in your access token tell you the privileges of the user/identity. You can of course use them to enable/disable functions in your app, block routes etc. but in the end client protection is never really effective so your real authorization ande resource protection happens at your resource server which is your backend (node, .net core, java etc.) maybe a restful Web Api. You pass your access token as a part of the http request header with every request to the backend. Now your backend checks the token integrity (optional) expiration time etc. analyzes scopes, claimes and roles to restrict the resource access.
For example a simple GET myapi/car/{1} may only need a token or can even be annonymous while a POST myapi/cars or PUT myapi/car/{1} may need a special role or higher privileges.
Does that help you out?
I'm working on an ionic app which start with a login system, I already create a basic authentication system which fetch in the database for the username and the password if exist I get as output the ID of the user and his full name and I store them in the local storage but I can see that this way isn't secure enough so how I can build a strong and a secure authentication system using ionic 4v, I found something like using a token and store but i didn't get the idea
Note : for the Backend there is an other team works on it they use JEE with SpringBoot Framework
I would suggest going with the JSON Web Token (JWT) approach. You can find more information on it here. You basically want to create an API endpoint that consumes the users username and password then validates it and if it is successful it returns a JWT.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a
compact and self-contained way for securely transmitting information
between parties as a JSON object. This information can be verified and
trusted because it is digitally signed. JWTs can be signed using a
secret (with the HMAC algorithm) or a public/private key pair using
RSA or ECDSA.
You might also want to include refresh tokens so that you can get a new JWT when the current one expires as putting a long expiry on a JWT is not recommended.
You will need to provide more information on what programming language your backend/API is in so that we can assist you with the correct implementation thereof.
I have a website allowing authenticated users to submit and edit data. I also want to offer a REST API as part of a chargeable service.
Now the problem is that a non-paying user could theoretically use the same calls my website uses as API for authentication and sending data from his external application since it is very easy in the browser to see the endpoint what and how exactly the data is being sent to a website.
How can I protect my website from such usage and force the user to use API for external access?
Actually you cannot prevent people making requests to a public API. You can just validate the user when a request arrives. So there are more than one approach to solve this problem.
I would provide a token per session for each user and validate the rest API request at back-end.
Use OAuth2. So you will give paid user secret id and key then they will ask for the access token to access the API's using secret id and key.
Read about public/private key encryption https://en.wikipedia.org/wiki/Public-key_cryptography
Read about oAuth
https://oauth.net/2/
I have used passport to implement oAuth2 in laravel. passport is oAuth2 implementation and available in other languages also.
I'm designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I'll also have an ASP.Net Web API site (MVC 4) to expose services to the iPhone application. The iPhone app will have its own form to capture username and password from the user and send that to the web API in JSON headers.
I want to consider security from the start rather than an after thought. I'm not a security expert by any means. I've done a good deal of research to see how other's are handling authentication of a mobile application client from a web service. I think I've come up with a decent solution that doesn't involve hooking into to third party oAuths.
I would greatly appreciate any and all opinions, advice, criticism and general WTFs that any of you can offer. :)
My biggest concerns are:
Ensuring that calls made to the web API are authorized
Minimizing the risk of replay attacks (hence timestamps in the calls below)
The iPhone app will be developed as such:
Two strings are hard-coded into the iPhone app (same values for every user):
Application IDThis is a string that is used to identify the type of client that is accessing the web API (iPhone, Android, Windows phone, etc).
Application's Hashing SaltThis is a string that is used to salt hashes for user-agnostic requests.
Two strings are stored in the iPhone app's local database (values unique to each user):
API User Access TokenThis is a string (token) provided to the client by the web API upon successful authentication and allows the client to access the web API without sending the username and password in each request.
User's Hashing SaltThis is a string that is used to salt hashes for requests made against established user accounts.
The iPhone will make calls to the web API in the following manner:
API Method: Create Account
Client Sends:
New Account Data (Username, Password, First Name, Last Name, etc..)
Application ID
UTC Timestamp
Hash of UTC Timestamp + Application ID salted with Application's Hashing Salt
API Returns:
New User's Hashing SaltThe idea here is that, when creating an account, I can use the application's hardcoded salt since it's not a huge security risk if that salt ever got out (through decompilation or some other means).
But for methods that access and modify the user's data I'll use a salt that is owned only by that user so it can't be used by an attacker to impersonate others.
API Method: Get Account(Used for getting user's hashing salt for accounts that were created on the web site but haven't yet been synced on the iPhone. This happens when a user tries to log in on the iPhone and iPhone detects that it has no record for that username.)
Client Sends:
Username
Password (hashed with Application's Hashing Salt)
Application ID
UTC Timestamp
Hash of UTC Timestamp + Application ID salted with Application's Hashing Salt
API Returns:
Existing User's Hashing Salt
API Method: Log In (Authenticate)
Client Sends:
Username
Password (hashed with User's Hashing Salt)
Application ID
UTC Timestamp
Hash of UTC Timestamp + Application ID salted with User's Hashing Salt
API Returns:
API User Access Token
API Method: Any Command (i.e. Create Post, Update Profile, Get Messages, etc...)
Client Sends:
Command Data
API User Access Token
Application ID
UTC Timestamp
Hash of UTC Timestamp + Application ID + API User Access Token salted with User's Hashing Salt
I did it using asp.net mvc 4.0/web api basic membership. you may find it helpful.
Yeah, Use SSL for sure
https://github.com/aamir-poswal/Mobile-Apps-Authentication-Authorization-ASP.NET-WEB-MVC-4.0
In VS 2013 you can use the "Asp MVC SPA Application" template to generate a working implementation that is generating a Oauth2 token bearer on login and authorizing it for WebApi controller calls using [Authorize] attributes. It uses Membership and Entity Framework to store users and hashes locally in a SQL Server. Just delete the asp mvc parts you don't need and keep the Auth part for WebApi. More details here: http://msdnrss.thecoderblogs.com/2013/09/understanding-security-features-in-the-spa-template-for-vs2013-rc/
My suggestions
Authentication and Authorization. Build it on 2 different servers(In some projects I have used 3 as well). Reverse proxy servers are really good with this. Authenticate on one server and authorize it on the other.
This is the most important step I think that is needed in mobile security that use Web APIs.
Encapsulate everything.
Use SSL for all secure information. In my case I use it for everything.
For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.
If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)
The requests you have mentioned are standard norms. Don't really see a problem with that.