I am playing with WSSE Authentication (through Symfony2) and I have defined the following classic Login flow :
User enters its username & password & get the associated salt from the server
username & password are checked on the server (ajax call) through a WSSE header check
If Credentials are valid then, required data (i.e data that allow to re-generate a WSSE Header at each request) is stored on the browser
This is fully working.
Now, I would like to add the "Signin with facebook" feature. That's not a problem there's plenty of documentation on it, BUT, my purpose & my difficulty is to keep the WSSE logical working
As the user never enters its password if he logs in with Facebook, I am unable to generate wsse headers, and for this there is no documentation at all.
Would someone have already dealt with such an operation? Thanks in advance
the solution i found is following this order :
1) Create a webservice not under the wsse firewall but secured by a header token or something else like x-token : fdslkjl324l2lrkljlkfsjflkjfkljl2, which return the password encrypted from the database for the given user.
like for example : you should have an webservice to get user salt to encrypt user s password to authenticate through wsse API.
2) use the classic wsse webservices with generated token from the encrypted password following the wsse
now that you have the password encrypted you can simply authenticate under the wsse service.
The most important thing is you don t have to put the user password in plain .
Related
I have a requirement where I need to get an access token of a user.
I am aware of the admin username and password and hence can get the access token of the admin.
Is there any rest API that can provide me access token a user using the above data?
There are two ways to get access token. One with Rest client (keycloak Rest API) and other through java keycloak-admin-client library.
1. Keycloak Rest API:
URI: http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/token
Type: POST
Content-Type: application/x-www-form-urlencoded
grant_type:password
username:user
password:user_password
client_id:client_id
secret_id:client_secret
2. Keycloak admin client (JAVA)
Keycloak instance = Keycloak.getInstance("http://keycloak:8080/auth", "myrealm", "user", "user_password","client_id", "client_secret");
TokenManager tokenmanager = instance.tokenManager();
String accessToken = tokenmanager.getAccessTokenString();
I have the same requirement, however we dont want to pass this Clear Text Password in either of the above approach. We are thinking following approach but want suggesting if any best practices are already in place.
Step-1: Create a secured end point at server end to return token from Keycloak.
Step-2: While calling this end point first, Encrypt the password using some shared key at client end.
Step-3. At the receiving/server end decrypt the password with same shared key.
Step-4. Fetch the token from KeyCloak at server end and return it.
If there are any other better approach, we should follow.
I want to send Keycloak user reset password email from my web app without using Keycloak SMTP configuration. For that I am trying to generate the reset password link but I am not sure how to generate the code in URL. Are there any API call to generate action code or full reset password URL ? Keycloak generate something like below. I need to generate same. That's the objective.
https://server.com/auth/realms/xxx/login-actions/action-token?key=ffdfdfdfd
There is no such API directly exposed in Keycloak.
Keycloak provides action tokens that permits its bearer to perform some actions, e.g. to reset a password or validate e-mail address.
Perhaps you could have a look at the action tokens SPI:
http://www.keycloak.org/docs/3.3/server_development/topics/action-token-spi.html
This way you can handle your use case.
I want to know how username and password sent to the method by using Basic authentication in rest in server. I want to go for Basic authentication because of domainname\username.
Is it possible to create custom username and password for basic authentication?
I want to create an app that will authenticate with my server using oauth.
My question is how will this work?
My client side will communicate using HTTPS with Facebook and get an Access Token. Then it should send it to my server side to authenticate? My server should save the token in the db? How it can validate the token?
how will this work. ?
When the client needs authorization to access some information about the user, the browser (user agent) redirects the resource owner to the OAuth authorization server. There, the user is faced with an authentication dialog (this dialog is not shown if the user is already authenticated), after which he or she is presented an authorization dialog explaining the permissions that the client is requesting, the information that it needs to access or the actions that it needs to do on his or her behalf.
Access Token should send it to my server side to authenticate? or server should save the token in the db?
From what you describe I'd suggest to use a server-side login flow.
-so that the token is already on your server, and doesn't need to be passed from the client. If you're using non-encrypted connections, this could be a security risk.
(after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.)
-See
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
How to validate token ?
you can follow this link , you will get your step by step solution for an app.
Facebook access token server-side validation for iPhone app
I am developing a web service and I need to send a username and password to the service in a GET method. Is it OK to send this information in the uri as long as it's going over a secure channel like ssl? In other words, can I have a uri that looks like /users/{username}/{cleartext_password}?
Edit: Sorry, I think I was unclear. The web service is essentially just a database of usernames and hashed passwords. Imagine a desktop application that keeps usernames and passwords in a remote database. The end user types their username and password into the application and the application accesses the web service to authenticate the user.
So, the application will need to send an end user's username and plaintext password to the service. The service will take the username and password and check that the username and the hash of the password match the username and hashed password in the database. The application itself will have to authenticate before it can access the service, but I am just wondering what is the best way to send the end user's username and password to the service for authenticating the end user. I don't to use a POST method because I am simply authenticating and therefore not changing the state of the server. Sorry for the confusion.
Do this.
Send a "key" and a "digest".
The "key" is equivalent to a username.
The "digest" is a SHA1 (or MD5) hash of the key, the URI and a "shared secret" or password.
When the server gets this, it computes it's own version of the digest, based on key, URI being requested and the "shared secret" or password. Failure to match digests is a 401 error response.
If it's going over a secure channel, there's no problem sending the username and password as cleartext. I'd just recommend against ever sending them as cleartext through an insecure channel and against sending them repeatedly for each request.
What you could do is first authenticate to the web service (send the username and password via ssl as cleartext) and get a token from the server that it will recognize. Then send that token with each subsequent request.
Generally speaking this is not a good idea... This data will be present in a number of log files, consequently the data could be visible to people who should not see it. At the very least you should hash or encrypt it before sending it if you can.
Here is a related discussion for a little more detail... Is an HTTPS query string secure?
SSL does encrypt the URI, but definitely take a look at some alternatives.
HTTP Basic Auth is nice and simple, and well supported by browsers, webservers, etc
It also won't end up in log files to the same degree as URIs
NB: It's just some plain-text HTTP Headers, so definitiely NOT recommended for non-SSL apps.
http://en.wikipedia.org/wiki/Basic_access_authentication