I'm trying to figure out how to implement the following authentication flow:
The user accesses a web application (most likely to be written using Ruby on Rails) and authenticates (e.g., username/password).
The client consumes data via AJAX provided by a RESTful API built on Google App Engine (Python, webapp2).
Requirements:
Only users authenticated in the web application (Rails) should be able to access the API hosted on App Engine.
Users can have different roles in the web application (Rails), and the API (App Engine) needs to know what roles are associated to the given user to restrict access to certain data.
The client should be able to call the API (App Engine) directly via AJAX, without routing all requests through the web application (Rails).
I'm looking for suggestions on how to implement such workflow. Should I use OAuth (or OAuth2) for accessing the API? Should the OAuth provider live on App Engine and the web application (Rails) ask the API for a token on behalf of the user? If so, what is the best way to allow only the web application (Rails) to request OAuth tokens? Or should I consider a completely different strategy?
Any suggestions are greatly appreciated. I'm also looking for suggestions of libraries to implement OAuth in the context above.
I suggest you use caution if you are considering implementing an API built on the Google App Engine using OAuth for your security layer. I am currently involved in a project that is struggling to solve exactly this problem. The OAuth layer over the GAE is still new and considered by Google to be "experimental". Google's documentation is minimal at this point. What there is begins here. I wish you the best if you try to proceed, and I will do my best to offer help if you do.
My solution to this same problem was to write my own three-way authentication (like OAuth):
After the user is authenticated on the RoR server, it responds with a temporary token. This token is stored on the RoR server, is good for 60 seconds, and contains the user's roles.
The browser sends this token (using AJAX) to the webapp2 server. It's like logging in on that server using just the token.
The webapp2 server forwards the token on to the RoR server to make sure it is valid.
The RoR server makes sure the token hasn't expired and immediately deletes the token to prevent duplicate requests. If the token is valid, the RoR server responds with the user's roles.
If the response from the RoR server is good, the webapp2 server responds to the browser's AJAX call (in step 2) with a cookie indicating that this user is now logged in. The session should contain the user's roles.
Subsequent requests to the webapp2 server will include the cookie so that server can respond according to the user's roles.
Related
I am building a reservation system in Google App Engine using Go. I need 2 forms of authentication in my program.
Public Form -- form built in Angular that is on our public website. I want my front-end to have some sort of credentials.json file to use when requesting the book and getOpenDates endpoints in my RESTful API running in Go on Google App Engine.
Private Companion App -- protected by username and password that the user supplies in my app built in Flutter. The app is requesting many endpoints in App Engine. I would like to use JWT to authenticate this portion, but I'm not 100% sure JWT is what I need.
I'm not sure if this tutorial on Identity Platform is what I want. I'm very new to App Engine and authentication in general, so I am a bit lost.
Please describe how I could implement these authentication methods in my RESTful API in Go running on Google's App Engine. I think I may be able to implement the username/password method using a tutorial like this but I'm very lost on the 1st form of authentication with just a credentials file as authentication. If I'm going in the complete wrong direction to accomplish what I want please tell me, but what I'm looking for is code or a tutorial describing how to authenticate using these 2 methods. Thanks for any help.
From what I understand, you want to have a golang backend API in App Engine that serves both your web frontend (1.) and your users app (2.).
I am going to suppose that any user with username/password can use both your frontends: the web app and the mobile app with these credentials.
The credentials.jsons are not designed to authenticate users of your services, but rather server to server communication.
With that in mind, I have found the guide Session based authentication in golang, that could help you to set up your backend to accept only authenticated requests over HTTPS. The web browser will automatically save the cookie, however you need to store the cookie in your mobile app.
For much more complicated scenarios for authenticating from different webpages, it is required to use OAuth2 as you can see in this thread. If you don't find any of your requirements listed in here it is probably overkill to use Auth0 nor OAuth2.
I have developed an AngularJs website, Android & IOS mobile apps. I am using https protocol to make my web service calls more secured. I am using OAuth flow for user authentication process. Once authentication process completed, OAuth token will be sent as a response to client apps.
Anyone can get access to server resources (upload/download user files) using this OAuth token from API response. So the system is not fully secured because it is difficult to check whether the request coming from my app or outside of the app.
If someone found the OAuth access key returned from my service, they can use them to upload/download resources from outside of the app. Server resource should be more secure as it contains more sensitive user records. Please check the below image to understand the workflow. Other programs section refers to custom batch scripts, other client apps, 3rd party tools etc..
How can I restrict my REST web service to send failure response if anyone tries to access it from outside of my app?
Please provide me the way to secure my web service and server resources by resolving these security issues.
I am quite new to the django-rest-framework and building APIs, and I am thinking of way to secure my APIs.
My question is:
How to allow only your front-end application(AngularJS) to call specific (django-rest-framework's)API endpoints?
For the time being I have set permission to all my Views to be IsAdminUser. Also I have created superuser account(for the front-end app). First step is that my front-end app sends requests to login endpoint which authenticates an app, and if successfull, it sends back user token to allow futher API calls. Then user is able to register and/or login, and as soon as he authenticates using his own details, further requests are executed using his own token.
It is working however it is quite spoof. Can someone with more experience advise me on how to allow my APIs to be called only by my front-end client?
Inside my servlets, this is how I authenticate user
UserService userservice=UserServiceFactory.getUserService();
User user = userservice.getCurrentUser();
if(user == null){
response.redirect(userservice.createLoginURL("../userhome"));
}
More recently, in the same project I used Google Cloud Endpoints with authentication to access data using a JS client. The JS client authorizes using Oauth
gapi.auth.authorize(...);
Although they belong to the same App Engine Project and share the same credentials, the servlet and JS client ask the user to sign in independent of each other - as if they were two different applications.
I want a single sign in for the whole application. How do I do this?
Here are some points:
It is important that you have authentication at both the levels. This is a good practice and does not leave your functionality open for execution without any authentication mechanism.
When you are doing the authentication on the client side, the whole authentication layer passes this User object to your Google Cloud Endpoints code. So, it is good if you could inject the User object in your Cloud Endpoints method to extract out the information of the user and do your own authorization if needed.
In summary, you are not really doing an authentication again at the Server side if you notice. You are only checking if the authentication is done or not and then proceeding forward.
We're writing a Desktop application that relies on Google Appengine to authenticate the user and retrieve and store data associated to it.
The way we'd like to authenticate the user is that on launching the application the browser is launched at the login url for our application. Then the user logins there, and then the application makes restful calls without any OAUTH object, but re-using the browser session. I'm questioned that this won't work, since we cannot so transparently use the browser session. Is that correct?
Any alternatives beside authenticating from within the app using the ClientLoginApi?
I'm aware of:
How do you access an authenticated Google App Engine service from a (non-web) python client?
The only way to do this is if you can capture the authentication cookie used by the browser, and send it yourself. Obviously, there's no browser- or platform- independent way to do this.
A better option would be to use OAuth, with OAuth for installed apps to obtain the original token.