I have a laravel backend which has rest api. But I want my rest api to be used only by my android app. So how do my backend know that the request is coming from my android app only and not from web or another app?
NB: I don't want the users to accept some login challenges.
you can use jwt. Each time you execute a request you must obtain the token. The token ensures that the user belongs to their service. The token must be saved in some way in your android app to return that response to the api rest.
https://github.com/tymondesigns/jwt-auth
Also keep in mind protect your endpoints in the api rest:
Route::middleware(['jwt_auth'])->group(function(){
Route::group(['prefix'=> 'V1'],function(){
Route::post('/endpoint', 'V1\EndointController#store');
});
});
Related
I want to implement Rest api with authorization in my Wordpress website. the version of Wordpress is 4.9.5 and REST api version 2.0-beta15. For securing my apis i need to implement OAuth on my site and at first, I implement WordPress REST API – OAuth 1.0a Server from this link and this useful link. But had these issues with plugin:
Rest-calls still works without authorization and every un-authorized user can call my rest-apis.
I want to implement this inside my Android app so I had to handle all steps in the background, but with this plugin, I should show many webView to user and user should fill them and the final token is also shown to the user in webview and this does not sound good for me.
So I looking for another plugin and find JWT Authentication for WP-API. This plugin is easier and handy. I followed the instructions and can get token and add to request header to make a request and if it is the valid response is 200 and if not need to validate. Every thing seems to work fine!
But the same problem:
every single REST API is even working without authorization header and if I do not put header the result is 200 And all request works as before without any Authorization
This is despite documents that say:
Once you get the token, you must store it somewhere in your
application, ex. in a cookie or using localstorage.
From this point, you should pass this token to every API call
So now I see that I cloud not restrict API call to have Authorization header in both plugins, how I can achieve that and what is the best solution?
I finally solve this problem with this plugin:
Disable REST API and Require JWT / OAuth Authentication
As its name says it will do exactly what i want. It works on both plugin i used
JWT Authentication for WP REST API
WP OAuth Server
And restricts all api calls that not authorized and works fine.
So i my best practice is JWT for Oauth + Disable REST API and Require JWT / OAuth Authentication and they are very good combination to implement OAuth in android application for word-press.
I have a server developed in laravel. I have an android application that can send POST and GET request to my server. I found that i can send POST and GET request from any other systems if have the link to my api. I want to authenticate my API and only allow my android application to POST and GET from my API. Please note that i dont have user login in my android part. I simply want to authenticate my android app to access those APIs.
If you want only your mobile application to make API calls, you can't. Your API doesn't know who is sending the information, he can only check if the information is correct and proceed with your endpoint. Like others have said use JWT/Authentication to limit who can use your API by creating an account or requesting a token, but there's nothing to prevent the user from taking his token and use it on his browser or tool of his choice like Postman.
I have a rest API which create by asp.net webservice, and I have an android and IOS application which call the api and show some data to the user.
what I need is to secure my API in a way that only my application can access to the data through the api and other request rejects.
I should mention that my application are not user base so there is no login and authentication and I don't want force user login !!!
According to my search, I need query authentication (query parameters) to achieve this.
What I need is how to create this kind of query parameters and how to validate them? (Performance is too important for me)
Thanks in advance
You can use basic authentication or any token based authentication mechanism.
So on every request to your api, get the authentication headers(authenticiation tokens in http request header) and verify if client is allowed to invoke it. If it failed then send by necessary HTTP status code. You just need to ensure that the applications that you want to allow to call your api are using those security tokens in their request headers. And you can keep those credentials or security tokens in memory or file or db as you like.
I am not a security expert, but as far as I know what you want is not possible. Anything you embed on the client to authenticate your application is accessible to an attacker, who can than use that information to access your API.
For users signing up from our android app and iOS app, we need to generate short lived access token from the app and need to have the server generate the long-lived token.
Referring to https://developers.facebook.com/docs/facebook-login/access-tokens#extending, we see the following -
Make this call from your server, not a client. The app secret is included in this API call, so you should never actually make the request client-side. Instead implement server-side code that makes the request, then pass the response containing the long-lived token back to your client-side code. This will be a different string than the original token, so if you're storing these tokens, replace the old one.
Once you've retrieved the long-lived token, you can use it from your server or ship it back down to the client to use there.
How do we implement this when we have an android app and server and not a web page as the client?
The facebook documentation mentions that Mobile apps that use Facebook's mobile SDKs get long-lived tokens. How do I get short lived access token from android app? How can we have this implementation in a mobile app mentioned in facebook docs - Web client authenticates, exchanges the short-term token for a long-term token via a server, token is sent back down to the web client and then the web client and makes calls with the long-term token. Also they have mentioned in the docs Make this call from your server, not a client - GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
Have a look at Design for Facebook authentication in an iOS app that also accesses a secured web service
You just need to create a WebService on your server which receives the Access Tokens, and takes the appropriate actions.
I am creating simple REST API with OAuth2 authentication. I use Apache CXF, and the only third party app (consumer) that I will have for beginning will be Android application.
I was wondering if I must have redirectURL set for my
org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant
I want just to return authorization code as JSON to my application and continue with OAuth protocol from there.
On the app, I plan to mimic form with POST request which will also send username/password to authorization grant service. Once I get response I will use authorization code to call access token service.
Is this OK, or there is better approach to programmatically do OAuth from Android APP as a client? I know about Spring OAuth for Android, but don't want to use it until I try simpler implementation.
Best Regards!