I'm trying to setup a private oauth2-server for usage with Android. I don't want any 3rd party-server to authorize, so my question is how to do this?
I had a look at Apache Oltu, but I haven't been able to find any HowTo to setup the server. Are there any instructions available or could someone who already did this help me?
Furthermore, is there a better solution? I don't want to just provide user/pwd-authorization (or even digest), because it's about getting an user-specific file, which should be automatically synced once in a while without asking for a password again.
The Apache Oltu documentation contains some example code, which should help you understanding the basics. Then you should have a look at the integration tests, which contain code for nearly all use cases.
But you have to understand that Apache Oltu isn't a standalone solution. It's only a framework, which handles the network communication for OAuth authorization and resource requests. That means, you have to implement
your own persistence layer for storing tokens.
your own security interceptor which actually checks if the received token is valid. Oltu isn't integrated into the webserver, so you have to take care that requests don't bypass OAuth authorization.
your own user registration process.
Related
I'm writing an API, that will be used by a webapplication and native iPhone and Android apps.
The users will create accounts, login, logout etc, either through the webapplication or native apps. But all the business logic is in the API. Thus, the webapplication and the native apps are mostly thin layers containing only UI to integrate with the api.
Question:
What are some general ways/technologies used to authenticate users against the API, when you have this outer layer of either a webapplication or a native app.
Related questions
Authenticating users in iPhone app
Disclosure: I work at Auth0.
Tokens! Tokens! Tokens!
The most widespread approach to authenticate users in a Web API is through the use of token-based authentication. The procedure can be reduced to these steps:
The client application includes a token in the request (Authorization header).
The Web API validates the token and, if valid, processes the request in accordance to the information associated with the token.
This type of token is usually referred as a bearer token, because the only thing that an application has to to get access to an API protected resource is provide the token. The use of HTTPS with this type of authentication is vital in order to ensure that the token cannot be easily captured by an attacker when traveling from client to server.
The token can be classified further either as:
by-value token - associated information is contained in the token itself
by-reference token - associated information is kept on server-side storage that is then found using the token value as the key
A popular format used for by-value token is the JWT format (Get Started with JSON Web Tokens) given it's encoded in a Web friendly way and also has a fairly concise representation in order to reduce overhead on the wire.
Choosing between by-value or by-reference token is a matter of considering the pros and cons of each approach and review any specific requirements you may have. If you go with JWT, check jwt.io for reference on libraries supporting this format across a wide range of technologies.
How does my application get the tokens in the first place?
Setting up your API to authenticate users with tokens can be seen as the easiest part, although the need to think about all the usual security precautions still applies.
The biggest issue with token-based authentication system, is putting in place a system that can issue tokens to your different client applications that may use different technologies or be in completely different platforms.
The answer to this, as mentioned on another answers, is to rely on OAuth 2.0 and the OpenID Connect protocols and do one of the following:
Implement an identity provider/authorization server system compliant with the mentioned protocols
⤷ time consuming and complex, but you're following standards so you're less likely to mess up and you'll also gain interoperability
Delegate the authentication to a third-party authentication provider like Auth0
⤷ easy to get started, depending on amount of usage (the free plan on Auth0 goes up to 7000 users) it will cost you money instead of time
You should check out
OpenID
OAuth
and have an Identity Server set up.
Depends on what technology you are using, IdentityServer is widely available
one is IdentityServer4 on a .net platform
Please do not hesitate to ask more! :D
I agree with #Fabian Bettag and #WickStargazer.
You can use OAuth 2.0 which works very well with web-app, mobile client and java-script client. Also you can use OpenID Connect to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an inter-operable and REST-like manner.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.
Note :- You can also implement SOAP for login,registration and logout(Security sensitive APIs) to add more security to your app.
Hope this will help and let me know for any help. Happy coding!!!
I want to develop the Android client for my RESTFull Web service. But, I'm nearly newbie in Android and I don't know how to make correct authentication with REST service. How to save user details in android ?
This is a fairly complicated topic that is too broad to explain fully here. I highly recommend Retrofit for this. Here's a link to their site, http://square.github.io/retrofit/
I've also put together a sample project that gets images from imgur api using retrofit if you'd like to learn more about the implementation.
https://github.com/mmeister1203/SampleRetrofitApp
For authentication, I suggest you use Authentication token. It basically works this way:
You send user details to server(through https, of course).
You receive authentication token, which you save in, lets say, SharedPreferences.
Every time you make a web request, you include your token the request.
This is most common approach when you don't need extremely high security.
I am working in a app that register a user in a specific place.
I got the client_id and the client_secret and the url, also the token url.
i have seen how simple was to use the AFOAuth2Client in Iphone and i would like to know if there is an equivalent for Android.
Thanks in advance.
It's generally not a very good idea to store secrets on a device. If you control the entire stack: client, API and AuthZ server, then make sure you use a Oauth2 flow that doesn't require that. (Or reconsider using Oauth2 altogther perhaps).
The simplest Oauth2 flows are quite simple to implement as they are straight forward HTTP requests.
Users of my Rails app can authenticate in one of these 2 manners:
Using their Facebook account
Using our own authentication
I'm using Facebook SDK on Android and devise and omniauth on Rails.
How do I authenticate against my Rails app on Android so I can then fetch the information I need from the server?
NB: I've noticed this question is getting a fair amount of views recently. Please don't follow the advice given in this thread too closely -- the web moves fast and it dates from 3 years ago!
This can be done using the fb_graph gem (not fbgraph!).
You can just add it to your gemfile and do
user = FbGraph::User.me(token).fetch
where token is the oauth token you got by using, for example, the Facebook SDK on Android.
user.email will be the user's email address (if you set up the necessary permissions).
You can use this URL for testing:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token
That totally depends on how your authentication system works. You will need to create an API on your server to handle communication from the Android app and pass information between both using the API.
Niraj Shah is completely right, though the answer might not be detailed enough for you. For an in-depth answer to your question, have a look at Securing an API railscast by Ryan Bates that has been released only recently. It covers HTTP Basic Auth.
You might also want to have a look at the more advanced option to secure your API / provide registered users access to their data. There's a railscast about this one as well here: http://railscasts.com/episodes/353-oauth-with-doorkeeper - though it's a pro episode, so you need to sign up for it in order to watch it.
Francisco, I have the exact same need.
The devise scenario using token_authenticatable seems straightforward and shouldn't be a problem but I'm not sure the best way to handle the Facebook scenario. On the web side, for FB auth I'm using omniauth-facebook as documented here: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview. I think this uses OAuth with FB as a provider so it's a good possibility that the latest RailsCast about doorkeeper securing an API with OAuth should do the trick. I haven't tried it yet but will do so soon unless you beat me to it. Here is the link: http://railscasts.com/episodes/353-oauth-with-doorkeeper.
I am in the planning phase a new project. I want to be able to control multiple relays from my android powered phone over the internet. I need to use an HTTP based server as a middleman between the phone and the relays. Django is my preferred platform because Python is my strongest skill set. This would not be a "web app" (with the exception of the admin interface for managing the user and their access to the relays). Rather, the server would simply provide an API in the form of HTTPS requests and JSON encoding. Though, I should note that I have never done any web development in my life, so I don't know best practices (yet). The authentication method should meet the following criteria:
Works over HTTPS (self-signed SSL)
Provides multi-factor authentication (in the form of something you have and something you know)
Be reasonably secure (Would be very difficult to fool, guess at. or otherwise bypass)
Is simple in implementation for the server operator and end user on the mobile client
Is lightweight in in terms of both CPU cycles and bandwidth
I plan to use the following scheme to solve this:
An administrator logs into the web interface, creates a user, and sets up his/her permissions (including a username and a password chosen by the user).
The user starts the client, selects add server, and enters the server URL and his/her credentials.
The client attempts to authenticate the the user via HTTP auth
(over SSL). If the authentication was successful, the server will generate an API key in the form of a UUID and sends it to the client. The client will save this key and use it in all API calls over HTTPS. HTTP auth is only used for the initial authentication process prior to reviving a key, as a session scheme would not be nessessary for this application. Right? The client will only work if the phone is configured to automatically lock with a PIN or pattern after a short timeout. The server will only allow one key to be generated per user, unless an administrator resets the key. Hence, simple, mobile, multifactor authentication.
Is this sound from a security standpoint? Also, can anyone point me to an example of how to use the HTTP auth that is built into Django? From a Google search, I can find a lot of snipits witch hack the feature together. But, none of them implement HTTP auth in the wayit was added to Django in 1.1. The official documentation for REMOTE_AUTH can be found here, but I am having difficulty understanding the documentation as I am very new to Django.
I'm not entirely sure of how basic auth would work on Django, but I can take a shot.
The basic auth article on wikipedia covers a pretty standard usecase for logging in. For Android I've personally skipped the first part (401) and just pass my credentials in right away.
With your auth request you will have to just grab the user credentials from the request headers (WWW-Authenticate) and then do all the necessary work for that. With the credentials you can then just use the authentication framework provided in Django to verify that the user then generate their UUID (I guess).
As for basic auth on Android it's a little bit tricky at first and may leave you pulling your hair. I've found this article on Basic HTTP auth for android which helps explain how to do it.
As for the security part of it, I'm not too sure. It's pretty simple, which I'd say is a good thing :)