best way to implement authorization in REST API's developed on JERSEY Framework. For example, the following is my API end point URI and I would like to authorize so that only person access the API.
/api/swimpool/v1/swimpool/12
I read few article about securing REST services, but they dealt with authentication and static configuration in tomcat-users.xml in tomcat environment and little configuration in web.xml of the application.
Token based authentication is one I came across for authorization. Are there any alternatives or best practices for securing web services.
UPDATE
How does facebook application protect there resources, for example API is there which will list/displays the photos in a given album. But how does facebook secures (authorizes) the end-points not to access other's album.
For example, User A can view photos in his album, but can not view photos present in another user B. User A may try to guess the API (as the API is same for all the users) call being made to fetch the photos and modify the path parameters and try to fetch the details.
Thanks
Related
I have an azure mobile all that uses authentication/authorization with facebook, everything is setup and working on my mobile app, I’m able to authenticate with facebook and get an access token.
I also have a web app (ODATA) hosted in azure and also uses authentication/authorization with facebook and its also working fine if I try to access the ODATA service it redirects me to facebook to login.
According to this article (https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/) I should be able to silently or programmatically send the access token from the mobile app to the web app by sending a json with acces_token key.
The may question is how I do this, is that access token in the header or where should I write it I can find any information from it. I would really appreciate a code example or an article that can guide me to accomplish my task
The may question is how I do this, is that access token in the header or where should I write it I can find any information from it. I would really appreciate a code example or an article that can guide me to accomplish my task.
Based on my understanding, you are using Client-managed authentication for independently contacting the facebook then retrieve the access_token from facebook, then you could leverage the access_token to login with your azure mobile app backend.
Also, you have a Azure Web App uses authentication/authorization with facebook and use the same facebook App ID. Then you want to leverage the access_token in your mobile client to access your another Azure Web App. At this point, you could login with your azure web app and retrieve the authenticationToken as follows:
POST https://{your-app-name}.azurewebsites.net/.auth/login/facebook
Body {"access_token":"******"}
Then, you could leverage the authenticationToken and set it as the x-zumo-auth header when accessing your azure web app as follows:
Get https://{your-app-name}.azurewebsites.net/api/values
Header x-zumo-auth:{authenticationToken}
Additionally, you could create your custom Web API endpoints within your azure mobile app, details you could follow adrian hall's book about Custom HTTP Endpoints.
I know this question has already been asked by someone else, but I didn't found the answers to my exact question.
I'm building a backend that provides its API written using Django REST Framework and integrates Facebook using Django Social Auth.
The frontend consumes the API using AngularJS.
I used a simple Token-based Authentication and everything went well, when somebody authenticated with Facebook I could retrieve the simple token (which never expired) from the DB and return it to the frontend, which will use it for subsequent calls to the API.
My problem now is that I want to publish my APIs and use oAuth2.
In order to do this I am using Django OAuth Toolkit.
If a user uses the native login there is no problem, because I use resource owner password based grant type (giving only client_id because the frontend is a JS app).
Now, if a user authenticates using Facebook there is a problem! I have no password to use!
This fact made me reconsider everything about authentication in my backend.
I thought this:
Is it sensed to make my "official" frontend app consume the APIs using oAuth2?
Isn't it better to use Token-based authentication (or Session-based, if you prefer) only for my frontend app and let third party apps consume APIs using oAuth2?
And, if I do like this, how can I tell my "official" app from other apps? Wouldn't it become a leak in security (for some reason, I don't know...)
For this task I have already created my own facebook application to get the API key and secret key. Can anyone explain the next steps that should be done to
1) Read from facebook API
2) Write my own database
by using web services
Thanks in advance!
A high level answer:
I'm assuming you want to use the authorization code OAuth flow (this means you want Facebook users to give you access to their profiles so you can grab data from there). If so, you need to bring up a web server and an application that will run your users through the Facebook OAuth flow. In case you just want to access Facebook with your own credentials you don't have to have a web server, simply use the client credentials OAuth flow.
So, Once you have a valid access token, you simply make calls to Facebook API using this token. using Facebook Graph API is simply a matter of calling URLs and getting the data as JSON.
You can test-drive the API here.
BTW, according to Facebook's platform policy, you're only allowed to store Facebook data for caching purposes.
Let me know if this helps.
How can I handle authentication via OAuth for some social networks in my own backend?
My first approach with facebook was
Authenticate the client directly with facebook and get the accessToken
Send the accessToken to my own backend and create a new user, getting the details from opengraph
Return from the backend to the client an ApiKey (Own authentication), what is needed in each call to my backend
My questions are:
This approach is right? Maybe this works with facebook, but with twitter how can I get an "accessToken" and getting the data user like the opengraph from facebook? And, if I need anothers social network, this works?
I believe your approach is correct as OAuth2.0 by standards doesn't let a user LOGIN. Instead, you can get an access_token on their approval of your application to access their data, create the user on your side and that's it. Basically, you are going to use their social data to speed up the "sign-up" (and even possibly the sign-in process provided you assume that the authentication will be done through social networks) for the user.
In terms of how generic you want your implementation to be such that it will work with all social networks, I recommend you look into Spring Social as it already does a lot of that kind of work for you (in case you want it to be extremely generic).
Hope that helps!
I am developing an app which requires data from social networks..I wanted to know how to fetch details of a person from his fid in Facebook.I want to fetch only the data are marked public.From google search i got to know that we can use rest API or java API to get the data but it requires API key or access token which are generated only after logging in to the Facebook. please explain me if there is any other way to fetch the details.
From google search i got to know that we can use rest API or java API to get the data
Rest API is deprecated, and such a thing as a “Java API” does not exist – it’s just the Graph API that you’ll mainly use to get information from Facebook, and it’s quite well documented.
but it requires API key or access token which are generated only after logging in to the Facebook.
Of course you will need an app to be able to talk to the Graph API – but it does not require a user to login/“connect” to your app just to read basic (public) profile info. An app access token will be enough for that.