I am planning authentication solution and trying to figure out which approach would be the best.
The system is mobile app (client application) and web platform with REST api.
The approach is to use token based authentication. My first try was Spring with its integration for OAuth2. However, it seems that Spring Security OAuth2 doesn't support token authentication without adding client credentials (which is still valid flow according OAuth spec, imho). In my case it is redundant to generate client credentials as mobile app is an integral part of the system. The desired flow should look like that :
Token authentication sketch
Is it good idea to use Spring Security OAuth2 in this specific case? Is it possible to limit it smoothly only to this functionality without boilerplate code? Maybe it is good to implement this endpoint without OAuth2 module and use pure Spring Security?
Thanks in advance for any insights :)
Related
I'm building a React SPA on top of a ASP.NET Core API and I want to authenticate with OIDC. Grant type is authorization code and the client does have a client secret.
Since we will be using a client secret, the authorization step that involves the secret has to go through a proxy that we control.
Is this doable in a React SPA with oidc-client?
If the secret is in the client, it's not a secret. :)
Secrets are for server-server authentication, because the secret is secure on a server (we hope so, anyway) and the API granting access has a whitelist of consumers it's granted access to use the secret.
For a SPA, if you're talking about allowing an app to use an API, I believe you're limited to using a CORS whitelist. If you're talking about a user accessing the API via the client, then you're looking at access codes and usernames/password.
PROBLEM
You have a blocking issue with the authentication system, or with usability or getting security to an acceptable level. In your case there is no PKCE support.
PROXYING SOLUTION
Use oidc-client which will add PKCE parameters and your SPA security supports the latest standards.
The client secret will come into play during the authorization code grant and refresh token grant messages.
Messages can be adapted server side to remove PKCE and use a client secret instead. It is quite a complex solution though and not everyone will like it.
It requires a SameSite cookie issued by the web domain. In my case I used an AWS lambda edge function that runs within a CloudFront content delivery network.
WHY DO IT THIS WAY?
In order to fit into an SPA architecture and meet wider goals in areas such as usability, coding model, mobile integration and global web performance. Depends if you feel it is worth the effort.
LINKS
Architecture Goals
Design Pattern
Code Sample you can run
Online AWS SPA
Proxying details
I am currently working on a mobile application that will allow a user to sign in via username/password (OAuth 2.0 Password Grant), Facebook, Twitter, or Google. The backend for this mobile application is coded in Spring Boot/Cloud (Java) and makes use of Microservices principles. I have several small services that are discoverable via Eureka and make use of Spring Cloud Config for centralized configuration. They are all exposed to the Mobile device using Spring Cloud Zuul, which acts as a reverse proxy. The Spring Security OAuth 2.0 setup that I have takes in the username and password then returns a JWT token, this token is validated every time a request is made to the backend. I also store users locally in MongoDB and make use of Method Level Security. I want to add Social Login to my application and have it do the following:
On the Mobile Device do the OAuth dance and get an access token
Send the access token to the server, and using Spring Social create a new User locally and associate it to Facebook/Twitter/Google, and then return a JWT token that can be used to validate requests
This JWT token should be created by Spring Security, and I should still be able to use Method Level Security and have local users
Basically I want all the features I have with my custom Spring Security OAuth 2.0 Password Grant with Social Login
This is my first attempt in architecting a system, and therefore am looking forward to responses from those with much more experience than I have. I have seen many examples that use Spring Social, but all of them are for Web Apps, not for Mobile, this is where I am currently stuck at.
The questions I have are the following:
Is my suggested approach adequate? Are there other approaches that are stateless and better for mobile applications?
Is Spring Security OAuth 2.0 and Spring Social Security enough to accomplish this? If so, are there resources that I can use? I have not found many online.
Could Spring Cloud Security be used as a solution?
Should I consider using a 3rd Party provider for Authentication such as Auth0 or OKTA?
using OAuth2 for a stateless solution is in my opionion adequate, because of:
oauth2 in general is a protocol designed to be usable in every client, which is able to perform http requests. Since the social nets you mentioned all support OAuth2. If everything goes bad, you still can consume them manually respecting the oauth2 specs, which they implement.
in general I see a problem with "authenticate with XXX and use that token as JWT for my requests". This is not directly possible, because that token is for their resource servers. Instead you need to separate 2 processes: authentication and authorization. In short you can use the socials endpoints to authenticate a user in your backend, which leads to a second oauth2 generation from your authorization server. This can create a JWT using all features from spring-oauth.
This libary should used in addition, since it helps to setup a application wide security solution. As example, you keep an own authorizationserver (which authenticates using social login) and several resource servers. spring-cloud-security helps to build things on top of that, as Zuul SSO, hystrix+ribbon powered feign clients respecting oauth2 authentications and so on
I don't thing this will help you, because those services primary serve you as an identity provider, while you are going to couple your users identity over social networks
I hope I could clarify your question in some way
I have achieved it by referring two spring example applications. Check this
steps, you will be able to achieve social sso login with Zuul, Auth-server and multiple back-end REST projects.
We're building a website using Django + Django Rest Framework for the back and Angular for the front.
There are three authentication systems in django rest (as of the docs) :
Basic Authentication : "appropriate for testing"
Token Authentication : "appropriate for native desktop and mobile app"
Session Authentication : "appropriate for Ajax clients"
I'm a bit lost here. I'm guessing session authentication should be the one to use when front is running on Angular. But I'm not sure. And I can't get why token is not appropriate (security issue ?). What if I want to make a mobile app afterwards ? Should I consider two separate parallel authentication system (token for the app, session for Angular) ?
Can someone clarify this to me ? Thanks !
For your requirement session authentication would not be feasible.
Token Authentication would be a better choice. If you want more security then you can look into JWT(JSON Web Tokens link)
Reasons not to choose session authentication for your requirement is perfectly explained here
Token authentication should be fine. Session authentication is highly dependent on browsers, the way is implemented. And, for the record, no one stops you from going forward with both - they work just fine. For development phase, you could use sessions to authenticate towards the browsable API.
We are the process of developing a android phone app using IONIC framework and Web Api as the backend.
My question is ,is it sufficient to use Forms Authentication along with SSL to keep the phone app secure.
Our background is in Asp.Net web development and we could not see any examples that uses Hybrid mobile app development along with forms authentication,that makes me wonder if we are in the wrong track.
We implemented CORS along with WithCredentials both on Angular and Web API side, and the authentication piece seems to work fine for all subsequent calls in debug mode.
Do we need to take additional steps for security ,since its a phone app ?
Edit: I was reading about bearer token authentication with Web Api, is this a recommended way to go with phone apps ?
Thanks !
Yes my recommendation is to go with bearer tokens not with forms authentication.
You need to use OAuth 2.0 Resource Owner Credentials Flow which means that end-user provides the username/password only once for a specific endpoint i.e(/token) and then if the username/password valid you obtain something called Bearer Access Token.
This token is valid for specified period and you can configure this in your Web API. Once you obtain the access token, you need to store it securely in your android/hybrid app, then you keep sending it with each request to your web api protected end points using the Authorization header (Bearer scheme). I've written very detailed post which covers your scenario 100%. Please check the post Token Based Authentication and another one for authentication with AngularJS authentication which should work with your case. Let me know if you need further help.
Any help, advice and experience is welcome.
Im currently having a separate AngularJS SPA on a Apache HTTP Server and a Spring Backend on a Tomcat 7 Servlet. The backend serves as a Rest API for the SPA.
Some rest resources will require a user to have a certain role.
I've been searching the internet for days on what and how to implement the best security strategy:
Basic Auth
Digest
oAuth
Stateless, Cookies? Sessions? Tokens? CSRF?
How would you go about communicating Spring Security in Json or XML to your SPA to show the user an authentication page or an "your successfully authenticated page"?
Any help is appreciated.
I finally figured out how to make the SPA authenticate with my Rest Backend.
In spring security I created a
Custom SimpleUrlAuthenticationFailureHandler which returns a HTTP-Unauthorizated if a login attempt fails.
Custom SavedrequestAwareAuthenticationSuccessHandler which returns Http-Oke if a login attempt is successful.
Custom AuthenticationEntryPoint which returns Http-Unauthorizated instead of a redirect.
Custom LogoutSuccessHandler which returns Http-OK.
I disabled CSRF.
If anyone needs more help feel free to let me know or message me.
I highly recommend watching this Spring's introductory video. It explains usage of Spring Security from ground up using Java configuration. Apart basic configuration, authentication and CLRF token usage also dive into field security. Uses templating on server with Thymeleaf though, but can provide a lot of wisdom for REST based app also.