Our users can only use Facebook Oauth2.0 to signup and connect with our service on google app engine.
Is it in this case even necessary to have the connection secured over https? Would the secret token be still in danger to be sniffed by a man-in-the-middle-attack? Or can we leave it by that?
Usually https is a must if username/passwords are used to protect plain passwords over the wire. Not so sure about oauth 2.0.
Thanks,
Yes it's necessary. Secure token is a credential as much as username/password are. If someone sniffs it out they can hijack users session for as long as token is valid.
Related
I have a cli (which use a rest api) which needs authentication for use.
As of right now, it supports a token auth. This token is generated at the server on a request with username and password and given as the response.This is not ideal (due to man in the middle attacks) and I am looking for a better protocol to use to generate the tokens.
Users will use such a protocol from a cli, and may or may not have access to a browser on the same device (Though a protocol that requires opening a website is not a problem)
The OAuth device flow seems to be a very simple to use flow, but it is meant
for authorization and not authentication. I also do want to support OAuth as that will require a lot of work, and frankly not what I need.
What is the standard or recommended protocol to use in such a situation?
MITM should not be an issue if your server and app are properly securing the connection. There is nothing really wrong in using a username+password to connect to your backend services. After all, when you're logging into the site you're sending an HTTP request with your username and password to a backend the same way your cli app would do it.
But OAuth indeed can a better fit for cli app:
it's easier to revoke the stolen OAuth token than to force user to change a password,
an app doesn't have to deal with user credentials (although OAuth credentials flow is also exists),
it gives you flexibility when creating new tokens. For example, you may want to issue short lived tokens only to force the user to re-login each time the app is used or you may want to use long-lived refresh tokens.
As you already mentioned, OAuth doesn't handle authentication but you can use your current login flow to verify user credentials and issue an OAuth token (how exactly do that is a separate topic).
I don't think there is a special protocol targeting authentication in cli apps. In any case the app would need to send some secret to a backend. One of the possible solutions is to use OTP (e.g. SMS or email code). In this case you send the code the same way as you would send a password but it is better protected against MITM attacks because a code cannot be used more than once.
I'm in the middle of writing a RESTFUL API in Hapi, I could not figure out API authentication methodologies.
Assuming we're using SSL/TLS with HTTP/1.1, why do we need something like JSON Web Token (JWT), where we already have HTTP Basic Authentication. We may protect every endpoint with HTTP Basic Auth, so we wouldn't even need login routes like '/login'.
So, what's the point of those authentication schemes, OAuth's and JWT?
Thank you.
OAuth and JWT use tokens, not passwords. Tokens are uniquely generated per application and site. If someone steals a token, they have not stolen your password, and that token is only good for that session only.
Contrast this with basic auth, it's an actual user password. Not only can they re-use that password whenever they want, they can also use that password with any other service that uses the same password. Stealing a token doesn't allow that to work.
I would like to build my own REST app.
I'm planning to use oAuth as a main auth approach.
The question is: Can I use login and password as client_id and client_secret (in terms oAuth spec) ?
I don't have any third side applications, companies, sites etc... which will authenteficate my users.
I have my own REST server and JS-application.
Whole site will be made in usual(RPC) approach, but some private part will be done as RESTfull service, with enough stand-alone JS application.
UPDATED: I'm not sure that I even need full oAuth support. It seems to me that I can ask login and password on https page and then generate some token. Later i could use it to check is this user authenticated already or not. But in this case this oAuth become almost the same what we have in web aplications. I do not need oAuth to athorize users ?
I'm not consider HTTP(s) authotization because i don't want to send evrytime user and password to server.
No.
One if the main reasons OAuth exists is to allow integrations without users compromising their usernames and passwords.
If you plan on using username and password, look into xAuth as an option if you still want to sign your requests. More info: https://dev.twitter.com/docs/oauth/xauth.
But you could likely just as well go for HTTP Basic Authentication. At least if you publish your API over SSL. More info: http://en.wikipedia.org/w/index.php?title=Basic_access_authentication
I think you might get a better answer on the security site. See, for example, this question.
In any case, you need to start with a detailed assessment of what attacks you are trying to prevent and what attacks are "acceptable.". For example, if you are using HTTPS then you can probably accept the remaining danger of a man-in-the-middle attack, because it would require forging an SSL certificate. It is harder to say in general if a replay attack is acceptable.
One reasonable solution would be to create a time-limited temporary token by having the user authenticate over HTTPS with the username and password, generating a secure token with an expiration date, and then sending that token and expiration date back to the client. For example, you can create a (reasonably) secure token by taking the SHA1 hash of a secret plus the user name plus the expiration timestamp. Then the client can include the token, the user name, and the authentication timestamp in future requests and you can validate it using your secret and your clock. These need not be sent as 3 parameters; they can be concatenated into one string user|timestamp|token.
Register your application with SLI. SLI grants a unique client ID and a client secret that enables your application to authenticate to the SLI API. You must also register the redirect URI of your application for use in authentication and authorization flows.
Enable your application with specific education organizations so that the application can be approved for use in those districts.
Configure and implement the appropriate OAuth 2.0 authentication and authorization flow in your application, which includes managing sessions and authorization timeouts.
I'd like to get an OAuth access token client-side (iPhone) and send the access token back to my server to make gdata requests on behalf of the user. Basically my question is, is this safe? Couldn't someone sniff the connection and pull the access token out and use it maliciously?
Google allows you to authenticate 'unregistered' applications by using 'anonymous' as the consumer key and secret in HMAC-SHA1 signature mode, which is what I'm doing. I'm then passing the acquired access token server-side to do my data manipulation. It works which is great, but I'm having security concerns about the solution.
Thanks for your comments!
Is your server secure? Are you issuing requests using https? Also, is registering to get an actual consumer key/secret out of the question? An access token is only good for the consumer key/secret that generated it. If you were to register, that would add another level of security (being that your consumer key/secret would only be known to you) but I would always suggest that communication from your app to your server should be done over a secure connection.
I have an MVC3 web app that does auth to a customization of StarterSTS. I require the realm to be known and the authentication to require SSL.
It works, great.
The problem is when the user lands back onto my website they are browsing with https. This isn't really the experience I want. My site is not a bank or anything of the like. I feel the authentication conversation should be secure (I think) and the token encrypted (I'm sure). But if I manually change the url from https to http on my replying party web app after authenticating it says I'm not authorized.
1) why?
2) Is it possible to fall back to http ? or ... Should I not require https for the authentication, but leave the token encrypted?
Well - what's wrong with SSL?`
The token should be always transmitted using SSL - even when it is encrypted, it could be replayed etc.
Also the resulting session token needs to be protected. So I would go for SSL (easy to setup) and not worry about possible attacks that result from not using it (hard to implement).
That all said - you can turn off the SSL requirement on the wsFederation (requireHttps="false") and nested cookieHandler (requireSsl="false") configuration element.