So I’m building a flask app using AAD B2C based off the QuickStart code from Microsoft. All that is fine and is working with no issues but how do I secure individual user data in a backend database (Mongo DB API on Cosmos DB)? I’ve read a lot about RBAC but to create a new role Every time a new user registers isn’t really scalable. Because if you secure data via the mongo db secret key users can still modify data. I’ve thought about maybe adding a “user_id” of some kind to the documents in mongodb and pass along the user_id but in my head it seems that can be easily spoofed. So how do I ensure Users can only modify their own data? Is there a new DB user created for each user of the app that gets mapped to each other? Really I just want to secure user data in the DB with AAD or some kind of Kerberos method. Thank you!
Related
I have a desktop app written in Python which uploads some data to an SQL database (SQL Server) hosted on Azure. The access is authenticated using Azure AD MFA. The application uses pyodbc. This is a bit cumbersome because I need to type in my password and authorization code every time I use the application. I want the application to get authenticated automatically. I do not want to use some simple workarounds like giving the app direct access to the database circumventing AD authorization.
The second problem is that the application inherits all my access privileges, which it does not need since it loads data to temporary tables. I understand that I can register the application with the Azure AD and obtain an access token. However, I do not know what to do next.
I need to type in my password and authorization code every time I use the application. I want the application to get authenticated automatically.
You can use Active Directory Integrated Authentication method to login to your appication automatically.
For this you need to federate your on-premises active directory instance with Azure AD.
With this if you are signing into a domain-joined machine. You can access Azure SQL data sources without being prompted for credentials with this mode.
But you can't set the credential property of sqlconnection.
For more information you can refer this Microsoft Document.
Also, as you are referring Access tokens here is the link with complete information.
I am new in Django, python , and AWS. I register a user, and I can see the user in my Django admin deployed to AWS. After I write a new feature and 'eb deploy' to AWS. I can see the new feature, but the user I registered before disappear. Can any one help?
#zijila The database is not going to carry over. It is probably a SQLite database for testing purposes. You probably wiped that DB out when you deployed using AWS EB. You should set up a MySQL database in AWS using Aws RDS. add the connection string to that DB and create a new user. That way the user is persisted when you redeploy.
Tip: Try not to write in the answer field when you respond on StackOverflow. Use the comment.
I am working on a Flask webapp that requires user authentication. Currently, username and passwords are stored in the database and the server side script checks the database and authenticate the user. I am trying to change this to OneLogin authentication that this company is using. I have no idea now how to get this task done.
How should I approach this? Where should I get the info?
Thanks!!
What does your existing code look like? If it looks at all similar to the "normal" way to protect views (http://flask.pocoo.org/docs/1.0/patterns/viewdecorators/), it should be easy to adapt to using the library linked to by the company's developer documentation.
https://github.com/onelogin/onelogin-python-sdk
One of my projects I have developed backend API using Django REST Framework and mobile app using React Native. I have done the following things:
When the users log in I store their username in local (mobile) database.
When users post data I send the username to server reading from local database along with the POST data.
I check whether the user is logged in or not using the username and then process the request.
My question is: am I doing it in the right way? If no then what are the right procedures to do this kind of authentication checking?
How are you authenticating your users? It sounds like your using sessions authentication which is fine as long as both ends are on the same doamin. Then you just use the request.user object as you normal would in a non-api setting. I would recommend using Django-rest-framework-Jwt https://github.com/GetBlimp/django-rest-framework-jwt Json Web Tokens do not require you to store a bunch of information in sessions on your server keeping things faster.
Here is a good example of implementing jwt if your interested https://www.techiediaries.com/django-rest-framework-jwt-tutorial/
I have a web application that is currently written in rather messy PHP with a messy database that I'm in the process of migrating to Django. I have set it up in my project as a legacy database and have generated models using inspectdb, so I think I can fairly easily write a script to translate old database to new, but I'm not sure how to tackle the user side.
Originally the app had some sort of Facebook integration, but this broke a few years ago when Facebook changed their side. The current users table has Facebook IDs for some users, but no other Facebook data (some users have also set email addresses and local passwords too).
I have a basic install of django-allauth with the Facebook integration set up and working, so can I import all of the users somehow? Those with the local alternative login-credentials (whether with a Facebook ID or not) are probably more important than the ones that only have a Facebook ID, so should I just use the standard Django create user methods and let users re-enable their own Facebook integration at a later time?